Harvesting the benign to create a monster

August 30, 2012

When Mary Shelley wrote her seminal tale of a modern prometheus, she imagined a physical being created out of a number of disparate elements. For the creature to survive, it needed to evolve, a tale that has led to computer scientists applying the concept to malware.

According to Wired, two scientists from the University of Texas at Dallas have written self-camouflaging malicious software that harvests seemingly benign code to build an embedded computer virus. The subject of an academic paper by Vishwath Mohan and Kevin Hamlen, Frankenstein scans computers for "gadgets", innocuous programs such as a word processor or a calculator, that it then aggregates into malware.

This stitched-together malicious code is difficult to detect, mainly because local security protocols will have already classified the code as harmless. The authors of Frankenstein, which is still very much in the experimental stage, used the idea of an evolving piece of software that would take existing elements and use them as building blocks.

"We apply the idea of harvesting instructions to obfuscate malicious code," wrote the authors in their paper. "Rather than using a metamorphic engine to mutate, we stitch together harvested code sequences from benign files on the infected system to create a semantically equivalent binary. By composing the new binary entirely out of byte sequences common to benign-classified binaries, the resulting mutants are less likely to match signatures that include both whitelisting and blacklisting of binary features."

Different ski mask, same bank robber
Evolving software is not a new idea and, according to The Economist, these "obfuscation techniques" have been used by malware writers since the 1990s. As web security protocols and anti-virus scanners have adapted to the scrambled computer code that contains the virus, there are always signs that something isn't quite right, and Hamlen compares this to a bank robber with access to different ski masks.

"The robber may look different each time he holds up a bank, but that hardly matters," he says. "Hanging around a bank in a ski mask is always going to be suspicious."

Hamlen and Mohan are confident that Frankenstein will be able to alleviate the aroused suspicions of detection strategies. The fact that the code is cobbled together from other "legitimate programs" could help to fool security Software-as-a-service systems that rely on well-established methods of spotting viruses.

"Because the blueprint is not itself computer code—merely a description of what the generated code needs to do—it can be safely hidden from defensive programs with traditional encryption," says Hamlen.

-McAfee Cloud Security