Wednesday, August 22, 2012

New Frankenstein Virus Can Build Itself

Frankenstein virus creates malware by stitching itself together


Scientists commissioned by the U.S. Army to develop a model of the virus that self-assembled from fragments of the software installed on the victim's computer. Conceptual design was given the name Frankenstein, says the magazine New Scientist. The scientists have set the task to create code that is difficult to detect with an unknown virus. Solved by the modular design of the virus.

Once installed on the victim machine, the virus constructs a working body of the so-called "gadgets" - small pieces of source code, each of which performs a specific narrow task. Gadgets are borrowed from programs that are installed on your computer, such as Internet Explorer or Notepad. A typical Windows-program contains about 100,000 gadgets unique building blocks for the assembly. For example, explorer.exe - 127,859 gadgets, gcc.exe - 97,163 gadgets, calc.exe - 60390, cmd.exe - 25008, notepad.exe - 6974.


Previous studies in this area have shown the theoretical possibility of designing software in this way, if a sufficient number of available gadgets. Now this theory is proven to work. Vishwath Mohan and Kevin Hamlen University of Texas at Dallas created a gadget of the program, implemented two simple algorithms that can be used in this malware.

A key feature of "Frankenstein" in the fact that the assembly work on the body given the instructions are repeated on every infected computer, but every time the new gadgets are utilized, so that the binary virus in each case, a unique. Due to this particular malware is almost impossible to find on the basis of virus signatures.

Such an approach of code generation much more effective than mutation of a given algorithm, because antivirus software quickly calculates the algorithm and adapt to it. To calculate viruses like "Frankenstein," they do not have to analyze the code and the actual behavior of the program may be running it in a sandbox. On the other hand, the malware can detect the presence of the sandbox and change their behavior, as do some of the current viruses.

Presentation of research Vishvata Mohan and Kevin Hamlen Frankenstein: "Stitching Malware from Benign Binaris" held at the conference USENIX Workshop on Offensive Technologies, which was held August 6-7, 2012 in Bellevue (Washington).

No comments:

Post a Comment