Frankenstein Code Stitches Code Bodies Together To Hide Malware 111
mikejuk writes "A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have proved that the method is viable. What it does is to scan the machine's disk for fragments of code, gadgets, that do simple standard tasks. Each task can have multiple gadgets that can be used to implement it and each gadget does a lot of irrelevant things as well as the main task. The code that you get when you stitch a collection of gadgets together is never the same and this makes it difficult to detect the malware using a signature. Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages — the question is, is it already in use?" Except for the malware part, this has a certain familiar ring.
Not possible in my system (Score:5, Funny)
Seriously, I would expect the pieces of the Frankenstein code to be fairly readily identifiable and
Erectile Dysfunction? Need to please more than one woman. Have we got the pills for you - legal and over the counter just click here: getitup.com
highly unlikely that a well protected system like mine would EVER have to worry about it.
myke
Re:In the wild ... (Score:5, Funny)
From TFA:
Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have certainly proved that the method is viable. And who knows, it might even be out there in the wild. After all, one of the main advantages of the method is that it hides malware more effectively.
While I have to profess that I do not know of any existing Frankenstein-code in operation, I can't discount the possibility that, buried in thousands and thousands closed-source software fragments there are things that we have absolutely no idea what they are Even in a totally open source environment, hiding code fragments isn't that hard to accomplish either And who knows? Maybe TPTB already got the Frankenstein codes installed in all our machines
Let me check...
...
...
Directory of C:\
08/28/2012 11:37 PM 904,704 abbynormal.exe
I think you might have a point.
Re:Is this actually hard to detect? (Score:5, Funny)
If Symantec did it, you were infected with Symantec.