Frankenstein - Stitching Code Bodies Together To Hide Malware
Written by Mike James   
Friday, 31 August 2012

A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. It makes malware more difficult to detect by creating a Frankenstein version.

Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have certainly proved that the method is viable.

And who knows, it might even be out there in the wild. After all, one of the main advantages of the method is that it hides malware more effectively.

 

frankcode

 

The idea is related to Return Oriented Programming (ROP). This builds a program from fragments of code already in the address space which end in a return. This allows an exploit which has taken over the stack to do anything it cares to without having to install new code or overwrite existing code so potentially triggering a hardware detection mechanism.

The fragments of code that ROP uses are called "gadgets" and each gadget performs a simple task that can be assembled into something that performs effective computation. It isn't difficult to show that it doesn't take much loaded code to derive enough gadgets to form a Turing complete set.

The same idea is used by Frankenstein, only in this case the code can be on disk or in memory. Also in this case the gadgets don't have to end in a return as they are going to be stitched together rather than run from the stack.

A set of logical specifications of what a gadget has to do is used to search for program fragments that meet the specification. Each gadget is a short sequence of machine instructions that performs a simple task, such as loading a register, but also does lots of other things that are side effects and not part of the gadget's task. Each specification accumulates a range of gadgets that do the same thing but with different side effects.

A list of what each gadget also effects, or "clobbers", is also kept so that gadgets can be put together in a way that doesn't alter their main purpose, i.e. so that there are no unwanted interactions.

frankenarch1

The resulting program achieves the target behavior but it is stitched together from gadgets that do all sorts of irrelevant things on the way. Two such realizations of the same program would therefore look very different using different gadgets that do the same basic tasks. This is a form of dynamic obfuscation that wipes out any hope of finding a stable signature, even though the resulting programs all do the same thing. 

Existing mutational techniques for hiding malware generally only use techniques such as XORing a fixed string with the code or swapping blocks of code around. The Frankenstein approach builds a new "body" from parts scavenged from existing programs and so creates something new each time.

Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages - the question is, is it already in use?

frankcode

More Information

Frankenstein: Stitching Malware from Benign Binaries

Related Articles

ROP Mitigations Bypassed

 

blog comments powered by Disqus

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

Banner


Windows 8 Sideloading Enhancements
09/04/2014

If you use the sideloading facility to install apps without using the Windows Store in Windows 8.1, the new Windows 8.1 Update adds two new features that possibly makes it more usable in an enter [ ... ]



Facebook Buys Oculus VR
26/03/2014

Oculus VR, which has a virtual reality headset under development, has been snapped up by Facebook in a deal valued at $2 billion. What does this mean for the future of VR?


More News

Last Updated ( Friday, 31 August 2012 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.