Frankenstein - Stitching Code Bodies Together To Hide Malware
Written by Mike James   
Friday, 31 August 2012

A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. It makes malware more difficult to detect by creating a Frankenstein version.

Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have certainly proved that the method is viable.

And who knows, it might even be out there in the wild. After all, one of the main advantages of the method is that it hides malware more effectively.

 

frankcode

 

The idea is related to Return Oriented Programming (ROP). This builds a program from fragments of code already in the address space which end in a return. This allows an exploit which has taken over the stack to do anything it cares to without having to install new code or overwrite existing code so potentially triggering a hardware detection mechanism.

The fragments of code that ROP uses are called "gadgets" and each gadget performs a simple task that can be assembled into something that performs effective computation. It isn't difficult to show that it doesn't take much loaded code to derive enough gadgets to form a Turing complete set.

The same idea is used by Frankenstein, only in this case the code can be on disk or in memory. Also in this case the gadgets don't have to end in a return as they are going to be stitched together rather than run from the stack.

A set of logical specifications of what a gadget has to do is used to search for program fragments that meet the specification. Each gadget is a short sequence of machine instructions that performs a simple task, such as loading a register, but also does lots of other things that are side effects and not part of the gadget's task. Each specification accumulates a range of gadgets that do the same thing but with different side effects.

A list of what each gadget also effects, or "clobbers", is also kept so that gadgets can be put together in a way that doesn't alter their main purpose, i.e. so that there are no unwanted interactions.

frankenarch1

The resulting program achieves the target behavior but it is stitched together from gadgets that do all sorts of irrelevant things on the way. Two such realizations of the same program would therefore look very different using different gadgets that do the same basic tasks. This is a form of dynamic obfuscation that wipes out any hope of finding a stable signature, even though the resulting programs all do the same thing. 

Existing mutational techniques for hiding malware generally only use techniques such as XORing a fixed string with the code or swapping blocks of code around. The Frankenstein approach builds a new "body" from parts scavenged from existing programs and so creates something new each time.

Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages - the question is, is it already in use?

frankcode

More Information

Frankenstein: Stitching Malware from Benign Binaries

Related Articles

ROP Mitigations Bypassed

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

Banner


Raspberry Pi CM5 - Expensive And Undocumented
27/11/2024

So the unexpected has happened - the Compute Module 5 has been launched. But it simply emphasises some problems with adopting the Pi as an IoT device.



Insights Into Learning Computer Science
18/12/2024

JetBrains Academy has published the results of a worldwide survey that set out to discover current trends in computer science education and the challenges involved in studying computer science. I [ ... ]


More News

Last Updated ( Friday, 31 August 2012 )