Share

Related Stories

  • DR Web discovers the first Linux/OSX cross-platform trojan
    Dr Web, the Russian anti-malware company that did much to expose the growth of the Flashback botnet, has found the first Linux/OSX cross-platform trojan – which it calls BackDoor.Wirenet.1
  • Malware crisis for virtual machines
    OSX Crisis, discovered last month, was soon found to be cross-platform – detecting whether the OS is Windows or Mac, and responding accordingly. Now Symantec believes it may also be the first malware that attempts to spread onto a virtual machine.

Top 5 Stories

News

Frankenstein malware: a monster stitched together from trusted code

30 August 2012

We’re all somewhat familiar with Frankenstein’s monster: an abomination that has been stitched together, a sum of repurposed body parts, given new life that requires re-learning how to be a creature. The heady themes of Mary Shelley’s famous novel have now made their way into the information security realm thanks to cyber-researchers at the University of Texas at Dallas, who have created a monster malware stitched together from other, legitimate programs’ parts.

Dubbed Frankenstein (natch!), the malware is made up of pieces of code from benign host programs, so it doesn’t trigger any red flags as something foreign to the system. Not only that, but by looking like something trusted, it could even become whitelisted, giving it an easy tunnel straight to the heart of an organization’s network.

Also, like Frankenstein’s monster, the malicious creation is expected to learn about its environment as it goes.

“We wanted to build something that learns as it propagates,” said head researcher Kevin Hamlen, associate professor of computer science, speaking to the University of Texas at Dallas News Center. “Frankenstein takes from what is already there and reinvents itself.”

Hamlen and his co-creator, a doctoral student named Vishwath Mohan, hope to use the creature to improve anti-virus approaches and develop effective defenses against such a threat.

“Shelley’s story is an example of a horror that can result from science, and similarly, we intend our creation as a warning that we need better detections for these types of intrusions,” Hamlen said. “Criminals may already know how to create this kind of software, so we examined the science behind the danger this represents, in hopes of creating countermeasures.”

There have already been a range of metamorphic malware and viruses launched out into the wild, which, loosely, cover malicious threats that change their code as they propagate. Moving from machine to machine, these viruses, much like the flu, mutate in order to avoid detection as a known threat. Frankenstein generally falls under this model, but with the big twist of being made up of otherwise benign parts – other metamorphic malware is still a foreign entity in the system.

"Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses,” Hamlen said. “This makes it more difficult for feature-based malware detectors to reliably use those byte sequences as a signature to detect the malware." 

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×