Frankenstein Code Stitches Code Bodies Together To Hide Malware

mikejuk writes "A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have proved that the method is viable. What it does is to scan the machine's disk for fragments of code, gadgets, that do simple standard tasks. Each task can have multiple gadgets that can be used to implement it and each gadget does a lot of irrelevant things as well as the main task. The code that you get when you stitch a collection of gadgets together is never the same and this makes it difficult to detect the malware using a signature. Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages — the question is, is it already in use?" Except for the malware part, this has a certain familiar ring.

Re:Is this actually hard to detect?

[Namarrgon]

The first thing it would find was its own scanning code, and before you know it your AV system has decided that it is itself an unacceptable risk, and has self-quarantined.

Fun but not interesting

The concept of malware using existing code, libraries even...let's see what's on every system in existance:
1. zlib
2. libpng
3. c runtime (albeit different forms)
4. BSD-compatible TCP/IP stack

Yup all the right elements needed to create malware, better go remove all those stat!

All joking aside, The Unix programming model is more or less the "right" way to program things except in two cases:
- Threading, which the unix model does horrible horribly. Many applications still are designed like there is only one CPU in the system, and the worst offenders (eg google chrome) try to solve it by wasting more memory on a broken sandbox model. It doesn't help when the parent process is the one locking up.
- Library dependency hell. Linux specifically has a "NOT INVENTED HERE" problem, where everyone violates the Rule of Diversity. Perl is the worst victim of this in action. Various C libraries also fall into this problem. What happens is that over time, shared libraries change their API, or start requiring yet-more dependancies. The end result is that binary programs on Linux are poorly cobbled-together, and highly dependant on upstream developers to get their ass in gear to fix bugs. As opposed to the FreeBSD/gentoo model where compiling everything solves the library hell and replaces it instead with versioning hell. What I mean is that if you don't constantly update everything every time a new point release is made, eventually the ports library will remove the port (eg php5,52,53,54) and break everything.

In some cases some really stupid crap is a dependency and takes forever (why must all graphics-related ports want to compile the complete X11 system for example)

The Windows model is somewhat better, albeit has it's own problems. Most windows applications, even when they have shared libraries, distribute the shared libraries they use and keep them in their own directories. If you remove these, the system library is then used. It's also possible to just replace a library. However some applications are really bad... and I mean broken-by-design if you use any shared libraries at all...

The current way many MMO games prevent hacking, is by monitoring for injected processes or regular processes on a blacklist. However the more creative hacks actually patch the C runtime itself and patch-over the anti-hacking code. It was kinda fun watching this progress with one specific game, as months would go by and the hackers would have their way with the MMO, and then suddenly the anti-hacking software would come back to life and they'd all panic and stop playing for a few hours as they try to figure out what changed. But the way they do it is by using a benign shared library (zlib or jpeg for example) that is loaded before the anti-hacking library, having all imports passed-thru it to the real library renamed to something else. The payload of the dll file however is when it's loaded.

So it's entirely possible for antivirus software to be neutered by the same process. Antivirus software should be staticly compiled and not relying on any shared files, not even the c-runtime.

Re:Fun but not interesting

[0123456]

The Windows model is somewhat better, albeit has it's own problems. Most windows applications, even when they have shared libraries, distribute the shared libraries they use and keep them in their own directories.

How is having seventy-five copies of zlib, all with different security holes, scattered around your system better than having one copy provided by the OS?

Not possible in my system

[mykepredko]

Seriously, I would expect the pieces of the Frankenstein code to be fairly readily identifiable and

Erectile Dysfunction? Need to please more than one woman. Have we got the pills for you - legal and over the counter just click here: getitup.com

highly unlikely that a well protected system like mine would EVER have to worry about it.

myke

Re:In the wild ...

[jd2112]

From TFA:

Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have certainly proved that the method is viable. And who knows, it might even be out there in the wild. After all, one of the main advantages of the method is that it hides malware more effectively.

While I have to profess that I do not know of any existing Frankenstein-code in operation, I can't discount the possibility that, buried in thousands and thousands closed-source software fragments there are things that we have absolutely no idea what they are Even in a totally open source environment, hiding code fragments isn't that hard to accomplish either And who knows? Maybe TPTB already got the Frankenstein codes installed in all our machines

Let me check...

Directory of C:\
...
08/28/2012 11:37 PM 904,704 abbynormal.exe
...
I think you might have a point.

DirecTV, "Been there, done that".

[Trax3001BBS]

Quoting a portion of http://news.slashdot.org/story/01/01/25/1343218/directvs-secret-war-on-hackers
Posted by michael on Thursday January 25 2001

"...It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed
their product and using their legal team to sue and intimidate them into submission.

"Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the
hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before
had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were
simply trying to annoy the community into submission. The updates contained useless pieces of computer code that
were then required to be present on the card in order to receive the transmission. The hacking community
accommodated this in their software, applying these updates in their hacking software. Not until the final batch of
updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle
allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic
program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a
masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking
community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic
in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the
programming, but DirecTV had not pulled the trigger of this new weapon.

"Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a
series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their
new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed
with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost
not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that
in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their
signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8
computer bytes of all hacked cards were rewritten to read "GAME OVER"..."

end quote

Re:Interesting

[1u3hr]

aliens, could construct a data stream to take over a receiving computer on any listening planet.

Basically the plot for "A for Andromeda", the 1961 TV series written by Fred Hoyle. A message is decoded to a computer program for a powerful AI that can answer just about any question. It seems the inventions it creates are designed to make us destroy ourselves; in the sequel it turns out that it was actually an exercise of "tough love" to force us to work together to defeat it rather than nuke each other to oblivion as most intelligent species do.

Re:Is this actually hard to detect?

[Opportunist]

If Symantec did it, you were infected with Symantec.