Computer scientists from the University of Texas have created a piece of self-camouflaging malware -- called Frankenstein -- that stitches together pieces of benign code stolen from regular programs. By aggregating pieces of code from programs that have been classified as benign by local defences, the malware is more difficult to detect. Read More ..
Created by Vishwath Mohan and Kevin Hamlen, Frankenstein searches through common software for specific instructional snippets of code called gadgets, according to semantic blueprints. It looks for gadgets (from programs such as Internet Explorer) that perform specific tasks needed, for example copying. It then builds working malware code -- in the shape of two simple algorithms -- using these gadgets.
Each time Frankenstein infects a computer it creates new copies from byte sequences that are semantically equivalent (but not necessarily syntactically equivalent -- i.e. they might be written slightly differently in the code) obtained from different benign files, making it harder to distinguish.
The work is outlined in a paper called Frankenstein: Stitching Malware from Benign Binaries. The authors say: "We apply the idea of harvesting instructions to obfuscate malicious code. Rather than using a metamorphic engine to mutate, we stitch together harvested code sequences from benign ﬁles on the infected system to create a semantically equivalent binary. By composing the new binary entirely out of byte sequences common to benign-classiﬁed binaries, the resulting mutants are less likely to match signatures that include both whitelisting and blacklisting of binary features."