×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Frankenstein Code Stitches Code Bodies Together To Hide Malware

timothy posted about a year and a half ago | from the vould-have-an-enormous-schwangstucker dept.

Security 111

mikejuk writes "A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have proved that the method is viable. What it does is to scan the machine's disk for fragments of code, gadgets, that do simple standard tasks. Each task can have multiple gadgets that can be used to implement it and each gadget does a lot of irrelevant things as well as the main task. The code that you get when you stitch a collection of gadgets together is never the same and this makes it difficult to detect the malware using a signature. Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages — the question is, is it already in use?" Except for the malware part, this has a certain familiar ring.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

111 comments

I propose a new system. (-1, Offtopic)

Anonymous Coward | about a year and a half ago | (#41203357)

I think that when your payday comes around at work, once a week or every two weeks or every month, they should arrange a system where there are two desks on the way out of the building. At the first, you are given your gross pay in cash. Then, you walk 10 meters down the hallway, and before exiting the building you must stop at a second desk. At that desk, there is a person wearing an official uniform with a US flag and the IRS emblem on it. At this second desk, you must count out whatever your federal withholding would have been and hand over that amount of cash to the IRS agent. You are then authorized to leave. If you refuse to pay, you are arrested for tax evasion. If we implemented this system, I think people would be much more interested in how government spends our money and how much of it they are spending.

In the wild ... (1, Informative)

Taco Cowboy (5327) | about a year and a half ago | (#41203467)

From TFA:

Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have certainly proved that the method is viable.
And who knows, it might even be out there in the wild. After all, one of the main advantages of the method is that it hides malware more effectively.

 
While I have to profess that I do not know of any existing Frankenstein-code in operation, I can't discount the possibility that, buried in thousands and thousands closed-source software fragments there are things that we have absolutely no idea what they are
 
Even in a totally open source environment, hiding code fragments isn't that hard to accomplish either
 
And who knows? Maybe TPTB already got the Frankenstein codes installed in all our machines
 

Re:In the wild ... (5, Funny)

jd2112 (1535857) | about a year and a half ago | (#41203567)

From TFA:

Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have certainly proved that the method is viable. And who knows, it might even be out there in the wild. After all, one of the main advantages of the method is that it hides malware more effectively.

While I have to profess that I do not know of any existing Frankenstein-code in operation, I can't discount the possibility that, buried in thousands and thousands closed-source software fragments there are things that we have absolutely no idea what they are Even in a totally open source environment, hiding code fragments isn't that hard to accomplish either And who knows? Maybe TPTB already got the Frankenstein codes installed in all our machines

Let me check...

Directory of C:\
...
08/28/2012 11:37 PM 904,704 abbynormal.exe
...
I think you might have a point.

Re:In the wild ... (1)

Anonymous Coward | about a year and a half ago | (#41203657)

I thought of this a long time ago when the idea of DLL's was introduced to me. I began to wonder why virus writers weren't capitalizing on code that was already present on systems. Admittedly, that'd have been in the early days of Windows so there wasn't a lot to work with but I was always under the impression that when malware did code injection to different processes that they were already starting to capitalize on this, and I *know* I thought it was being done around the time that I learned about Python's ctypes because the book Greyhat Python discusses similar ideas. I think I need to start writing some of these ideas of mine down.

That said, this won't be incredibly easy to detect if done properly.

Bash... (2)

flyingfsck (986395) | about a year and a half ago | (#41203709)

"...gadgets, that do simple standard tasks..." Well, I don't want to bash the authors, but what they describe is exactly what a script would do on a Linux system. I suppose they come from a pure Windows environment, where a script is an unheard of, super guru thing...

Re:Bash... (1)

Dr_Barnowl (709838) | about a year and a half ago | (#41204727)

It's more that there are a bunch of functions concealed in otherwise normal looking modules, that strung together make a piece of malware, rather than the malware being a single unit.

In other words, it's a bit like modern Java programs - importing a whole bunch of enormous libraries just to use one function from each....

Re:In the wild ... (0)

Anonymous Coward | about a year and a half ago | (#41203719)

I think there is an echo in here.

Re:In the wild ... (0)

Anonymous Coward | about a year and a half ago | (#41204943)

And who knows? Maybe TPTB already got the Frankenstein codes installed in all our machines

The code to assemble all these potential Frankenstein code fragments (aka, 'the good doctor') would be probably be identifiable as malware. Think of it this way: in the morgue no one notices a body or its assorted parts. They will notice someone going around trying to see if they can fit the miscellaneous parts together.

Re:I propose a new system. (-1, Redundant)

Anonymous Coward | about a year and a half ago | (#41203479)

So to reduce government spending you plan to waste huge amounts of taxpayer money on a system that would only add inconvenience for citizens? Idiot.

Re:I propose a new system. (-1)

Anonymous Coward | about a year and a half ago | (#41204921)

I'd be more interested in how you propose to pay for all those additional 'tax collectors'. I'd be willing to go along with your ideas as long as these additional tax collectors met the same stringent criteria as tax collectors in India [bbc.co.uk]. Let us know when you have the first hundred applicants.

Perhaps the government could funnel a little (more?) of our tax dollars to help cover your meds and in-patent treatment.

Supreme Adaptability (0)

Anonymous Coward | about a year and a half ago | (#41203387)

One of these days you'll just write the malware, and it'll figure out the infection vectors.

Re:Supreme Adaptability (0)

Anonymous Coward | about a year and a half ago | (#41203565)

One of these days you'll just write the malware, and it'll figure out the infection vectors.

It'd be like an STD that sets up a "date" and rents out the cheap motel for you!

This is new? (0)

Anonymous Coward | about a year and a half ago | (#41203399)

This was done way back in windoze 95 days.

And it worked then too.

Detecting malware is doing it wrong...fix holes!!! (0)

Anonymous Coward | about a year and a half ago | (#41203415)

It amazes me that companies continue to operate when they do everything in there power to create insecure and unsafe environments for users. It's too bad there isn't worse dammage from malware. Maybe the risk of death or something similar would make people think twice.

Re:Detecting malware is doing it wrong...fix holes (2)

SuricouRaven (1897204) | about a year and a half ago | (#41204319)

A lot of the time the users are the holes. You can use the most secure software in the world, but it's not going to do you a lot of good if Mr Smith in accounting decides that he simply must run that program from a dubious website that sends a cartoon cat to crawl around the screen to make his job less depressing.

Is this actually hard to detect? (1)

dohzer (867770) | about a year and a half ago | (#41203433)

With normal malware your antivirus would search for code that performs, say, XORing.
With Frankenstein Code malware, wouldn't your antivirus software simply search for the code that *searches* for XORing code?

Re:Is this actually hard to detect? (3, Insightful)

Namarrgon (105036) | about a year and a half ago | (#41203461)

The first thing it would find was its own scanning code, and before you know it your AV system has decided that it is itself an unacceptable risk, and has self-quarantined.

Re:Is this actually hard to detect? (0)

Anonymous Coward | about a year and a half ago | (#41203509)

Norton Antivirus and McAfee did just that on a system wide CIH infection, just too bad good old f-prot ain't free anymore...

Re:Is this actually hard to detect? (1)

AliasMarlowe (1042386) | about a year and a half ago | (#41204137)

Norton Antivirus and McAfee did just that on a system wide CIH infection, just too bad good old f-prot ain't free anymore...

Did they then completely remove themselves?
If so, good; congratulations on the less unclean PC. If not, they were clearly not doing their AV job properly.

Re:Is this actually hard to detect? (1)

dohzer (867770) | about a year and a half ago | (#41204513)

It might find your code, if it used the same search algorithm.
You wouldn't only search for the code that searches. You'd search for a program that:
1. Searches for code sections.
2. Records their locations.
3. Executes it's code by jumping between those sections.

Surely this code has to have some kind of 'signature' (a standard structure) which is easy to find with a scan, right?

Re:Is this actually hard to detect? (1)

m6tt (263581) | about a year and a half ago | (#41203485)

It seems like the "gadgets" would be just as vulnerable to network profiling and detection.

You'd try to detect the "Frankenstein" code. (1)

khasim (1285) | about a year and a half ago | (#41203845)

In this example, they're saying that detecting the "body parts" would be too difficult because they'd be legit apps. And they're correct.

So the idea would be to look for the "Frankenstein" code which uses those "body parts". Because THAT is the malware code.

So I'm not seeing where the problem is.

Re:You'd try to detect the "Frankenstein" code. (1)

Anonymous Coward | about a year and a half ago | (#41204109)

There's no problem. The "Frankenstein" code is equivalent to code that uses dynamic libraries. The article is bullshit.

Re:You'd try to detect the "Frankenstein" code. (0)

Anonymous Coward | about a year and a half ago | (#41204161)

There's no problem. The "Frankenstein" code is equivalent to code that uses dynamic libraries. The article is bullshit.

That's exactly what I thought.

Re:You'd try to detect the "Frankenstein" code. (1)

aaron552 (1621603) | about a year and a half ago | (#41204325)

My guess is that it's a way to try and beat antivirus heuristics: None of the "gadgets" appear to do anything bad and can if fact come from "trusted" programs, but the combination of actions can be anything but innocent.

Re:Is this actually hard to detect? (1)

gweihir (88907) | about a year and a half ago | (#41205171)

Indeed. You need to get the scanner/stitcher on the target system, and have it running as root. Kind of kills the whole idea, because this would be glaringly obvious even to a simple behavior-based detection system. And you cannot stitch the scanner/stitcher itself, as it has to be viable on the target. Kind of like a huge, glaring flaw in the whole idea.

The only thing this may be able to do (and I doubt that the stitching really works and is resilient enough for any real program) is to put this on the target, and then let it hide some malcode from detection. But that means getting past all defenses initially with a likely huge scanner/stitcher. When you can do that, you can just modify the target system kernel to hide you. As is already being done.

Re:Is this actually hard to detect? (2)

gl4ss (559668) | about a year and a half ago | (#41205187)

the code that searches for the xoring code would be mutated as well.
technically this leads to 50% size increase in each new generation of the malware, due to the added cruft. the article was making rounds maybe two weeks ago or something already...

I'm pretty sure the av guys can find some common denominator to look for though, like the api calls that go looking for the files.. - But I would presume the main use point for this would be on malware installing servers.

Interesting (1)

Impy the Impiuos Imp (442658) | about a year and a half ago | (#41203437)

And now you know why The Blight's archive, from A Fire Upon The Deep, who can effortlessly simulate a hundred trillion galactic-sized civilizations a second, was so far beyond any other conceivable bad guy. Brings new meaning to the statement in Contact, "That's the way it's been done for billions of years"...hacking out all conceivable methods of fail.

There's a theory that sufficiently clever people, or aliens, could construct a data stream to take over a receiving computer on any listening planet. Technologically this might not be possible without an embedded social engineering assist, but that's trivial manipulation, too.

Re:Interesting (0)

Anonymous Coward | about a year and a half ago | (#41203493)

There's a theory that sufficiently clever people, or aliens, could construct a data stream to take over a receiving computer on any listening planet. Technologically this might not be possible without an embedded social engineering assist, but that's trivial manipulation, too.

No, that's a hypothesis. A theory needs some form of evidence.

Re:Interesting (3, Interesting)

1u3hr (530656) | about a year and a half ago | (#41203653)

aliens, could construct a data stream to take over a receiving computer on any listening planet.

Basically the plot for "A for Andromeda", the 1961 TV series written by Fred Hoyle. A message is decoded to a computer program for a powerful AI that can answer just about any question. It seems the inventions it creates are designed to make us destroy ourselves; in the sequel it turns out that it was actually an exercise of "tough love" to force us to work together to defeat it rather than nuke each other to oblivion as most intelligent species do.

Re:Interesting (2)

ldobehardcore (1738858) | about a year and a half ago | (#41203777)

I haven't seen "A for Andromeda", so I'll take you at your word, and comment on the series, since I think the premise is utterly absurd.

The idea that an extraterrestrial civilization would send out a "tough love" kind of virus, in order to teach us a lesson in cooperation, is incredibly naive. Firstly: if contact with an alien civilization is made, it's likely to be accidentally picking up a private signal on our part, and we'll probably NEVER understand the signal in itself. It's overwhelmingly probable that it would have totally indecipherable content, no matter that we could figure out that the signal is not from natural emission.

Secondly: Why the hell would another civilization, with superior technology to us want to help us at all? We're essentially shaved apes with thermonuclear weapons! We aren't much smarter than the animals we dominate. Our only real advantage over other animals is our ability to communicate through complex language, and even then we really suck at it. We can't agree on most things, and those of us who do seem to only be like minded due to meme viruses that pretty much break the useful parts of our minds regarding making advances to the human race (religion anyone?)

Thirdly: What do we have to contribute to a galactic society that they can't just take from observing our broadcasts? We pretty much have nothing to offer. We're insanely optimistic. In fact, we have to be irrationally optimistic in order to not be labeled severely depressed. Depressed people see the out of control nature of the universe and what happens to them, and realize that any event they do have control over are insignificant to the universe and 99.9999% of the people on earth, so they despair at the knowledge of their own impotence. This is logical, but bad for mental health. How fucked up are we that we need to think that we matter in order to keep from killing ourselves.

In all it's a crazy idea that any extraterrestrial civilization would ever want to contact us, much less carry us along, other than for pure altruism. And from all the study I've done of humans, the correlation between size of a society and altruism has a negative correlation as a society grows.

Just a few thoughts about the above description of "A for Andromeda". I'm going to look for it now and see if I'm just a bloviating dick.

Re:Interesting (0)

Decker-Mage (782424) | about a year and a half ago | (#41204013)

[Wandering WTF Off-topic ;-). ] A couple of assumptions in there: (1) Humans, as a species, are sane? By whose definition? (2) Humans as a species, or individually for that matter, are rational? I've only met a rare few and given that I'm considered non-sane, if rationality is considered sane at all, I don't know if they, or myself, matter. May be bloviating, but definitely interesting!

Re:Interesting (1)

ldobehardcore (1738858) | about a year and a half ago | (#41204049)

What I meant by sane is: in order to be considered mentally healthy, an individual is required to exhibit irrationally optimistic behavior, often to the point of their own detriment.

Sanity is a relative term at best, and is often totally arbitrary.

I did make the mistake of mixing vernacular and jargon in my earlier post

Re:Interesting (1)

ldobehardcore (1738858) | about a year and a half ago | (#41204087)

Also: irrationality is detrimental to the health of an organism. Acting irrationally is not optimal behavior, although I have the suspicion that some irrationality plays an important part in problem solving strategies. Guess and test problem solving tends not to be productive in a continuous problem space since, since they have essentially infinite permutations. Irrationality allows one to pick values at random and test them to look for patterns. From there you find the closest value to what you want and permute the input up and down and go on from there.

Re:Interesting (1)

Taco Cowboy (5327) | about a year and a half ago | (#41204139)

[Wandering WTF Off-topic ;-). ] A couple of assumptions in there: (1) Humans, as a species, are sane? By whose definition? (2) Humans as a species, or individually for that matter, are rational? I've only met a rare few and given that I'm considered non-sane, if rationality is considered sane at all, I don't know if they, or myself, matter. May be bloviating, but definitely interesting!

First of all, apologies to all the Slashdotters who still consider themselves as "sane"

The years that I've been on Slashdot tell me one thing, and that is,

No sane person will ever be attracted to this site
 

Re:Interesting (1)

Teun (17872) | about a year and a half ago | (#41204691)

No sane person will ever be attracted to this site

Most successful cures started with diagnosis, this [wikipedia.org] should be a good start for recovery.

Re:Interesting (1)

citizenr (871508) | about a year and a half ago | (#41204131)

Secondly: Why the hell would another civilization, with superior technology to us want to help us at all?

Why the hell would a bunch of smart people try to help stupid and evil corporation by wrecking havoc inside its infrastructure and exposing all of its secrets?

The answer is For Teh LULZ!1

Re:Interesting (0)

Anonymous Coward | about a year and a half ago | (#41205051)

I'm going to look for it now and see if I'm just a bloviating dick.

Yup.. you're a bloviating dick...

Re:Interesting (1)

gweihir (88907) | about a year and a half ago | (#41205131)

You have really gorged yourself on the BS. There is nothing trivial here. Most of it may well be impossible in this universe.

Real philosophy (0)

Anonymous Coward | about a year and a half ago | (#41203451)

Except for the malware part, this has a certain familiar ring.

So when some asshole kludges together horrific scripts that are deliberately obfuscated to ensure years of billable hours, how is that not malware?

Fun but not interesting (5, Informative)

Anonymous Coward | about a year and a half ago | (#41203463)

The concept of malware using existing code, libraries even...let's see what's on every system in existance:
1. zlib
2. libpng
3. c runtime (albeit different forms)
4. BSD-compatible TCP/IP stack

Yup all the right elements needed to create malware, better go remove all those stat!

All joking aside, The Unix programming model is more or less the "right" way to program things except in two cases:
- Threading, which the unix model does horrible horribly. Many applications still are designed like there is only one CPU in the system, and the worst offenders (eg google chrome) try to solve it by wasting more memory on a broken sandbox model. It doesn't help when the parent process is the one locking up.
- Library dependency hell. Linux specifically has a "NOT INVENTED HERE" problem, where everyone violates the Rule of Diversity. Perl is the worst victim of this in action. Various C libraries also fall into this problem. What happens is that over time, shared libraries change their API, or start requiring yet-more dependancies. The end result is that binary programs on Linux are poorly cobbled-together, and highly dependant on upstream developers to get their ass in gear to fix bugs. As opposed to the FreeBSD/gentoo model where compiling everything solves the library hell and replaces it instead with versioning hell. What I mean is that if you don't constantly update everything every time a new point release is made, eventually the ports library will remove the port (eg php5,52,53,54) and break everything.

In some cases some really stupid crap is a dependency and takes forever (why must all graphics-related ports want to compile the complete X11 system for example)

The Windows model is somewhat better, albeit has it's own problems. Most windows applications, even when they have shared libraries, distribute the shared libraries they use and keep them in their own directories. If you remove these, the system library is then used. It's also possible to just replace a library. However some applications are really bad... and I mean broken-by-design if you use any shared libraries at all...

The current way many MMO games prevent hacking, is by monitoring for injected processes or regular processes on a blacklist. However the more creative hacks actually patch the C runtime itself and patch-over the anti-hacking code. It was kinda fun watching this progress with one specific game, as months would go by and the hackers would have their way with the MMO, and then suddenly the anti-hacking software would come back to life and they'd all panic and stop playing for a few hours as they try to figure out what changed. But the way they do it is by using a benign shared library (zlib or jpeg for example) that is loaded before the anti-hacking library, having all imports passed-thru it to the real library renamed to something else. The payload of the dll file however is when it's loaded.

So it's entirely possible for antivirus software to be neutered by the same process. Antivirus software should be staticly compiled and not relying on any shared files, not even the c-runtime.

Re:Fun but not interesting (4, Insightful)

0123456 (636235) | about a year and a half ago | (#41203783)

The Windows model is somewhat better, albeit has it's own problems. Most windows applications, even when they have shared libraries, distribute the shared libraries they use and keep them in their own directories.

How is having seventy-five copies of zlib, all with different security holes, scattered around your system better than having one copy provided by the OS?

Re:Fun but not interesting (0)

Anonymous Coward | about a year and a half ago | (#41206005)

...compared to having multiple versions of the shared library because you have old binaries linking to each one which can't be upgraded due to ABI issues?

Re:Fun but not interesting (0)

Anonymous Coward | about a year and a half ago | (#41203851)

Sorry, but you're missing something. You can statically link the C runtime if you want to jump through a hoop or two. The C runtime makes kernel calls directly.

Of course you can always rootkit your windows in order to defend against that. but then you just have a rootkit sitting around ready to be Frankenstein-ed!

Your thoughts and views on security are a bit out of date, sorry.

Re:Fun but not interesting (2)

Bert64 (520050) | about a year and a half ago | (#41204197)

In some cases some really stupid crap is a dependency and takes forever (why must all graphics-related ports want to compile the complete X11 system for example)

This is why Gentoo has USE flags, so you can turn off optional dependencies if you don't require their functionality.

The Windows model is somewhat better, albeit has it's own problems. Most windows applications, even when they have shared libraries, distribute the shared libraries they use and keep them in their own directories. If you remove these, the system library is then used. It's also possible to just replace a library. However some applications are really bad... and I mean broken-by-design if you use any shared libraries at all...

The windows model is more convenient for end users, at the expense of performance and efficiency... And incidentally, OSX works in a similar way with application bundles.

The system provided shared libraries maintain binary level backwards compatibility by including multiple versions of the library, making it much easier to run old binaries but also causing significant code bloat and resulting in the presence of lots of old and potentially insecure code.

By including libraries with each application instead of installing them centrally, you end up wasting memory if you ever run several programs at once, since each one will load its own copy - thus defeating one of the key benefits of shared libraries.

Also by including libs with each app, you end up with an absolute nightmare should a security vulnerability be discovered in one of them... Instead of updating the library centrally, you now have to update each individual application that uses it, either by installing an updated version of the app (usually by hand since windows lacks any proper package management), or by manually replacing the library version (which may or may not work). You also have various vendors which ship old versions of libraries which already have known security holes!

The biggest problem with the windows model however, is the fact that its mandatory... You cannot go and strip out all the old libraries and configure the system centrally.... Linux can actually operate in the windows way quite easily, but the fact it doesn't is largely because package management and source code availability eliminates most of the hassle of keeping centralised libraries while retaining the benefits. The windows model is largely a kludge designed to mitigate the lack of package management and sourcecode.

Re:Fun but not interesting (1)

equex (747231) | about a year and a half ago | (#41204353)

With 16GB RAM being about $100, claiming memory usage is pointless. also, linux has different library versions all over the place. also, most windows apps comes with custom dlls placed in its program folder, and for the system libraries, MS redistributable packages are used at the end of the Installer program. windows has problems with efficiency and performance ? sure, some ligthweight configurations can sometimes match Window 7's snappiness, but come on...

Re:Fun but not interesting (1)

martin-boundary (547041) | about a year and a half ago | (#41204401)

With 16GB RAM being about $100, claiming memory usage is pointless.

And that attitude is why Microsoft just shat its pants and frantically tries to reinvent Windows into a tablet friendly OS.

Being efficient is always a good idea. Even if your system has 16GB of memory available, how do you know what else is running on the system? How can you tell what other long running processes the _user_ thinks are much more important than yours? Besides, RAM has been the new disk for years now. If your program doesn't fit in L2 cache, all those intermittent RAM fetches will make it dog slow.

Re:Fun but not interesting (1)

SuricouRaven (1897204) | about a year and a half ago | (#41204361)

Modification of libaries is/was a common cheat on FPSs too. One of the classics is a fake directx/opengl library that just passes all calls straight to the real library, after first modifying the alpha channel of textures. Thus all walls become translucent. This used to be one of the most popular ways to cheat on counterstrike before anti-cheating measures actually became effective - a player with the library hack could see through walls, giving a huge advantage in gameplay.

Re:Fun but not interesting (1)

Z34107 (925136) | about a year and a half ago | (#41204369)

I stopped reading when you picked "Chrome" as an example of poorly-threaded software.

why don't you read the fucking article sometimes (1)

gl4ss (559668) | about a year and a half ago | (#41205239)

it's not about using the libraries. that is not the point. the point is to just take random code from a random file that happens to for example move data from register x to register y, and then use that code instead of simple register move command when recompiling the malwares code, that way the entire malware can be ran through the obfuscator, including the obfuscation code, so the entire malware is polymorphed(and bloated by ~50%). it's an obfuscation method. it's NOT about using system libraries since that would be ancient dos age stuff(bios is an os library).

and it's pretty hard for av to not have to access os filesystem routines, your blackbox av idea isn't exactly solid.

Not possible in my system (5, Funny)

mykepredko (40154) | about a year and a half ago | (#41203495)

Seriously, I would expect the pieces of the Frankenstein code to be fairly readily identifiable and

Erectile Dysfunction? Need to please more than one woman. Have we got the pills for you - legal and over the counter just click here: getitup.com

highly unlikely that a well protected system like mine would EVER have to worry about it.

myke

Re:Not possible in my system (0)

Anonymous Coward | about a year and a half ago | (#41204073)

Your on a mac or sent from your ipad?

Hasn't something like this been done? (2)

Immerman (2627577) | about a year and a half ago | (#41203521)

Perhaps someone was pulling my leg at the time, but I remember back in the mid-nineties hearing about a project where dozens (soon to be hundreds) of self-modifying/evolving viruses were turned loose on a host machine to compete, with one of the most successful being a tiny bit of "parasite" code that had offloaded virtually all of it's functionality to other viruses in the ecosystem.

Return oriented computing (1)

Anonymous Coward | about a year and a half ago | (#41203553)

There is a similar thing called "return oriented computing". I don't know to what extent is this used in practice, but this idea isn't completely new.

Re:Return oriented computing (1)

aaron552 (1621603) | about a year and a half ago | (#41204335)

I thought "return oriented" hacks were essentially just overwriting the return pointer from a defined location to malicious code? This looks like an evolution of ROC.

Re:Return oriented computing (2)

gweihir (88907) | about a year and a half ago | (#41205113)

It is not. Return oriented programming has it right: It is a small part of the malware doing the privilege escalation. All other virus code gets propagated. This "revolutionary new thing" is not revolutionary and it is not new. Other have not pursued it because it does rather obviously not work for any kind of propagating code. The simple question of "how do you get the scanner/stitcher" on the target system and running as root?" seems to escape people.

DirecTV, "Been there, done that". (4, Interesting)

Trax3001BBS (2368736) | about a year and a half ago | (#41203615)

Quoting a portion of http://news.slashdot.org/story/01/01/25/1343218/directvs-secret-war-on-hackers [slashdot.org]
Posted by michael on Thursday January 25 2001

"...It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed
their product and using their legal team to sue and intimidate them into submission.

"Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the
hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before
had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were
simply trying to annoy the community into submission. The updates contained useless pieces of computer code that
were then required to be present on the card in order to receive the transmission. The hacking community
accommodated this in their software, applying these updates in their hacking software. Not until the final batch of
updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle
allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic
program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a
masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking
community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic
in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the
programming, but DirecTV had not pulled the trigger of this new weapon.

"Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a
series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their
new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed
with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost
not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that
in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their
signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8
computer bytes of all hacked cards were rewritten to read "GAME OVER"..."

end quote

Re:DirecTV, "Been there, done that". (2)

girlintraining (1395911) | about a year and a half ago | (#41203799)

Not exactly. In that case, most of the code was uploaded, then resequenced and executed. The completed program looked the same on each card. In this case, what they're saying is with all the DLLs on a system, if you can heuristically analyze them for relevant code segments to fulfill your objective, then you can use code that's already trusted and integrated into the system as a foundation for your attack.

The problem with this method, is that it still requires a 'seed'. It needs a program with the logic necessary to stitch together its payload. In other words, the delivery system is still vulnerable to conventional countermeasures.

Re:DirecTV, "Been there, done that". (1)

theCoder (23772) | about a year and a half ago | (#41204893)

So, what you're saying is that DirectTV used social engineering techniques to convince people to install malicious software on their receivers and then sent a signal to those receivers that destroyed them, potentially causing millions of dollars in damages? It seems to me that if I did that, I'd be prosecuted, no matter what the people I attacked did to me.

OTOH, after reading some more [codinghorror.com] about the details, the smart cards may have actually been DirectTV's property that they had lent to the hackers because they were DirectTV subscribers. The hackers were just changing their subscription level to get more than they paid for. So, in effect, DirectTV was destroying their own property. And I guess since the hackers didn't really have "clean hands", they couldn't very well claim that DirectTV wasn't providing the basic service that they were paying for.

Still, I bet they didn't tell their legal department what they were doing until after it was done, and it does sound like a neat hack :)

ROP & The Halting Problem (2)

Tracy Reed (3563) | about a year and a half ago | (#41203661)

This sounds like Return Oriented Programming, used in some exploits to thwart countermeasures. But it is a long way from stitching together code to do trivial things all the way to making code which replicates, has a payload, AND can stitch together code to do all Of this. The Halting Problem makes me wonder if it is even theoretically possible.

Re:ROP & The Halting Problem (0)

Anonymous Coward | about a year and a half ago | (#41203801)

This sounds like Return Oriented Programming, used in some exploits to thwart countermeasures. But it is a long way from stitching together code to do trivial things all the way to making code which replicates, has a payload, AND can stitch together code to do all Of this. The Halting Problem makes me wonder if it is even theoretically possible.

WTF does the halting problem have to do with any of this?

Re:ROP & The Halting Problem (1)

Decker-Mage (782424) | about a year and a half ago | (#41204053)

This sounds like Return Oriented Programming, used in some exploits to thwart countermeasures. But it is a long way from stitching together code to do trivial things all the way to making code which replicates, has a payload, AND can stitch together code to do all Of this. The Halting Problem makes me wonder if it is even theoretically possible.

WTF does the halting problem have to do with any of this?

Somebody didn't eat their Wheaties this morning and completely forgot the history of computing. Go look up Von Neumann machines and the halting problem.

Re:ROP & The Halting Problem (1)

Anonymous Coward | about a year and a half ago | (#41204105)

This sounds like Return Oriented Programming, used in some exploits to thwart countermeasures. But it is a long way from stitching together code to do trivial things all the way to making code which replicates, has a payload, AND can stitch together code to do all Of this. The Halting Problem makes me wonder if it is even theoretically possible.

WTF does the halting problem have to do with any of this?

Somebody didn't eat their Wheaties this morning and completely forgot the history of computing. Go look up Von Neumann machines and the halting problem.

Somebody saw "The Halting Problem" on Wikipedia but has no idea what it means. The halting problem does not say you cannot write code that replicates. The halting problem does not say you cannot stitch code together to build a larger program. The halting problem merely says that, in general , you cannot determine whether an arbitrary piece of code halts. Our hypothetical exploit designer would not be stitching arbitrary pieces of code -- they would be stitching specific pieces of code in a specific executable. A long history of dissasmblers and exploits** have taught us that, guess what, in spite of this halting problem thing (that you don't understand in the slightest), it is in fact possible, in practice , to look at a piece of assembly code and figure out what it does. And that's all our hypothetical exploit designer would have to do (well, that, and also figure out a way to stitch those pieces of code together.. but you have not demonstrated how that stitching problem is made impossible because of the halting problem).

**Go look up the Morris worm, and then barf up your Wheaties because they're obviously not doing you any good.

Re:ROP & The Halting Problem (0)

Anonymous Coward | about a year and a half ago | (#41204491)

it is in fact possible, in practice, to look at a piece of assembly code and figure out what it does.

Unless you've secretly proven the Collatz conjecture, you should take back your "in practice."
In practice, nobody (including you) knows if the following halts:

// pseudocode
function H(n) { return (isOdd(n)) ? (3 * n + 1) ? (n / 2); }
function collatz(n) { while (n > 1) n = H(n); }
function maybehalt() { for(int i = 1; i < pow(2,256); ++i) collatz(i); }

So far the conjecture is only proven to about 64 bits, but you should try to prove 1..2^32 as a warm-up exercise (hint: 1..2^32 definitely halts). ;-)

Re:ROP & The Halting Problem (0)

Anonymous Coward | about a year and a half ago | (#41204141)

He thinks the malware would analyze other processeses' code to find what it wants. Which, of course, would never work.

Re:ROP & The Halting Problem (1)

SuricouRaven (1897204) | about a year and a half ago | (#41204477)

The halting program only says that there exist some programs for which it is impossible to determine if they halt. Not a problem here: All the hypothetical frankenmalware need do is know when to give up and go in hunt of some new code. The really difficult part is making a program that can determine the function of another section of code in a meaningful enough manner to create a new program from them - this would require some incredible level of AI, in some ways nearing human capacity for abstract thought and modeling, but it doesn't violate any fundamental laws of mathematics. It's just difficult, not impossible.

Difficult enough though that there are easier ways to achieve the same ends.

Re:ROP & The Halting Problem (1)

gweihir (88907) | about a year and a half ago | (#41205101)

I think it would be possible, if you do not stitch the stitcher/scanner. If you stitch that as well, I expect the code will get larger and larger. There is also a fundamental issue: You cannot propagate the virus, you need to propagate the scanner/stitcher and have it run as root on the target before you can create a virus there. Kind of defeats the point.

Re:ROP & The Halting Problem (1)

gl4ss (559668) | about a year and a half ago | (#41205353)

the point is that it gets to run because it didn't hit the scanner. and the point is exactly that the obfuscator gets obfuscated too. and it does increase with every generation in file size.

Re:ROP & The Halting Problem (1)

gweihir (88907) | about a year and a half ago | (#41205421)

Once you have the scanner/stitcher running on the target system, you have already full control. Doing the scanning/stitching is redundant.

Bits and pieces of code, cobbled together? (0)

Anonymous Coward | about a year and a half ago | (#41203677)

Sounds like Windows to me.

Biological weapon (1)

wisebabo (638845) | about a year and a half ago | (#41203689)

I mean code is code so the same tactics could be used to make an artificial virus evade the immune system right?

Would it work? Probably not.

Would it be plausible enough to write a sci/fI book or movie? Maybe.

Re:Biological weapon (2)

SuricouRaven (1897204) | about a year and a half ago | (#41204487)

That basically is a virus. Their own genome doesn't supply all of the information needed to make a new virus, but rather adapts the existing processes coded for by the host's own genome. That's why viruses tend to be much more species-specific than bacteria.

Re:Biological weapon (1)

gl4ss (559668) | about a year and a half ago | (#41205365)

I mean code is code so the same tactics could be used to make an artificial virus evade the immune system right?

Would it work? Probably not.

Would it be plausible enough to write a sci/fI book or movie? Maybe.

I think there's been pretty many books written about the common flu(and the not so common man made flus) already.

Okay...but... (0)

Anonymous Coward | about a year and a half ago | (#41203757)

You still need code for Dr. Frankenstein that creates this monster, right? Surely that can be detected?

Re:Okay...but... (1)

aaron552 (1621603) | about a year and a half ago | (#41204351)

Indeed it can, but my guess is that this is primarily a way to beat antivirus heuristics rather than definitions (there are fairly simple ways already to beat signature detection)

Re:Okay...but... (1)

Lehk228 (705449) | about a year and a half ago | (#41205317)

i am pretty sure loading strips of exe and dll files would be an east heuristic, easier than most because these days nobody would do that in a regular program (might screw over a few demo scene projects)

unix utilies have malware (1)

abdupattoh (2431326) | about a year and a half ago | (#41203775)

As for the link to unix philosophy, I am sure that certain unities have malware, especially the ones I can't ever remember how to use, or what on earth the switches all mean, like find, or man.

They've got you by the balls (-1)

Anonymous Coward | about a year and a half ago | (#41203821)

Memorable quotes for
Looker (1981)
http://www.imdb.com/title/tt0082677/quotes [imdb.com]

"John Reston: Television can control public opinion more effectively than armies of secret police, because television is entirely voluntary. The American government forces our children to attend school, but nobody forces them to watch T.V. Americans of all ages *submit* to television. Television is the American ideal. Persuasion without coercion. Nobody makes us watch. Who could have predicted that a *free* people would voluntarily spend one fifth of their lives sitting in front of a *box* with pictures? Fifteen years sitting in prison is punishment. But 15 years sitting in front of a television set is entertainment. And the average American now spends more than one and a half years of his life just watching television commercials. Fifty minutes, every day of his life, watching commercials. Now, that's power."

##

"The United States has it's own propaganda, but it's very effective because people don't realize that it's propaganda. And it's subtle, but it's actually a much stronger propaganda machine than the Nazis had but it's funded in a different way. With the Nazis it was funded by the government, but in the United States, it's funded by corporations and corporations they only want things to happen that will make people want to buy stuff. So whatever that is, then that is considered okay and good, but that doesn't necessarily mean it really serves people's thinking - it can stupify and make not very good things happen."
- Crispin Glover: http://www.imdb.com/name/nm0000417/bio [imdb.com]

##

"It's only logical to assume that conspiracies are everywhere, because that's what people do. They conspire. If you can't get the message, get the man." - Mel Gibson (from an interview)

##

"We'll know our disinformation program is complete when everything the American public believes is false." - William Casey, CIA Director

##

"The real reason for the official secrecy, in most instances, is not to keep the opposition (the CIA's euphemistic term for the enemy) from knowing what is going on; the enemy usually does know. The basic reason for governmental secrecy is to keep you, the American public, from knowing - for you, too, are considered the opposition, or enemy - so that you cannot interfere. When the public does not know what the government or the CIA is doing, it cannot voice its approval or disapproval of their actions. In fact, they can even lie to your about what they are doing or have done, and you will not know it. As for the second advantage, despite frequent suggestion that the CIA is a rogue elephant, the truth is that the agency functions at the direction of and in response to the office of the president. All of its major clandestine operations are carried out with the direct approval of or on direct orders from the White House. The CIA is a secret tool of the president - every president. And every president since Truman has lied to the American people in order to protect the agency. When lies have failed, it has been the duty of the CIA to take the blame for the president, thus protecting him. This is known in the business as "plausible denial." The CIA, functioning as a secret instrument of the U.S. government and the presidency, has long misused and abused history and continues to do so."
- Victor Marchetti, Propaganda and Disinformation: How the CIA Manufactures History

##

George Carlin:

"The real owners are the big wealthy business interests that control things and make all the important decisions. Forget the politicians, they're an irrelevancy. The politicians are put there to give you the idea that you have freedom of choice. You don't. You have no choice. You have owners. They own you. They own everything. They own all the important land. They own and control the corporations. They've long since bought and paid for the Senate, the Congress, the statehouses, the city halls. They've got the judges in their back pockets. And they own all the big media companies, so that they control just about all of the news and information you hear. They've got you by the balls. They spend billions of dollars every year lobbying lobbying to get what they want. Well, we know what they want; they want more for themselves and less for everybody else.

But I'll tell you what they don't want. They don't want a population of citizens capable of critical thinking. They don't want well-informed, well-educated people capable of critical thinking. They're not interested in that. That doesn't help them. That's against their interests. They don't want people who are smart enough to sit around the kitchen table and figure out how badly they're getting fucked by a system that threw them overboard 30 fucking years ago.

You know what they want? Obedient workers people who are just smart enough to run the machines and do the paperwork but just dumb enough to passively accept all these increasingly shittier jobs with the lower pay, the longer hours, reduced benefits, the end of overtime and the vanishing pension that disappears the minute you go to collect it. And, now, they're coming for your Social Security. They want your fucking retirement money. They want it back, so they can give it to their criminal friends on Wall Street. And you know something? They'll get it. They'll get it all, sooner or later, because they own this fucking place. It's a big club, and you ain't in it. You and I are not in the big club.

This country is finished."

##

We now return you Americans to your media: Corporate, Government sponsored and controlled (rigged) elections..

Most of you are all so asleep it's time you woke up!

I think it's the most dangerous piece of tech ever (2)

Panaflex (13191) | about a year and a half ago | (#41203963)

Seriously... the ability to stitch together a thousand different versions of "the same" virus using pieces of code commonly available on every system would be overwhelming and devastating to a target.

No, you don't send the generator in the payload (unless you have it generate itself first), as it would be easily detected and reverse engineered. You send a thousand viruses at a set of targets and there will be no virus scanner able to handle 100% of them without dynamic analysis. With a zero day exploit and root kit implementation this is potentially devastating. With some careful engineering you could sometimes defeat dynamic analysis as well.

What makes current viruses largely ineffective is that you can only make a few effective ones in a limited time period. You need a large team of experienced developers to be able to build such a critter. Iterating new payloads takes lots of testing and QA. With this sort of tech you build one good virus blueprint and out comes thousands of different little beasties with a good probability of success. Each one is different!

This stuff is dangerous - atomic bomb dangerous if it gets a proper engineering.

Re:I think it's the most dangerous piece of tech e (1)

Opportunist (166417) | about a year and a half ago | (#41204185)

While I agree that there's a big threat, I don't see the sky falling yet. But I guess some AV companies that got complacent and retreated to creating automated pattern based signatures will have to invest in Analysis again (allow me to use this moment to greet a former employer of mine, guess you might soon regret axing the Analysis team in favor of that autosig tool, huh?).

It will likely be impossible to use standard pattern signatures anymore. Ok. Behaviour analysis will most likely be very difficult as well, since it doesn't "behave" the same way in every iteration of the virus, at least not fully. And that "not fully" is where I'd put the lever.

I haven't met a single piece of "morphing" malware, be it self modifying or, like in this case, created in different ways with each and every single infector that didn't have a flaw. There is always one where you can put your lever and pry it apart. I had my share of morphers on my desk back in the good ol' days of my time in analysis, and they eventually succumbed. Although what I can well see is that you might need a pretty large sample set of the malware to find the common link. This time, it will likely be very difficult to find a behaviour pattern that doesn't clash with the whitelist.

What I predict is less a flood of infections. I guess we'll see much more damage done by AV kits that kill critical system tasks they falsely identify as malware because their whitelist lacks the most recent update of said benign files.

Re:I think it's the most dangerous piece of tech e (1)

cpghost (719344) | about a year and a half ago | (#41204665)

This stuff is dangerous - atomic bomb dangerous if it gets a proper engineering.

It may sound old-fashioned to reiterate, but this stuff is only dangerous for operating systems that don't properly separate privileges and don't properly isolate and contain processes/tasks.

Re:I think it's the most dangerous piece of tech e (1)

gweihir (88907) | about a year and a half ago | (#41205089)

You miss one critical thing. Admittedly the story also glosses over this fundamental limitation: You cannot send any virus! You need the scanner/stitcher present on the target system and running as root in order to do its job. And it needs to be propagated along with any virus. Obviously that invalidates that whole thing.

Re:I think it's the most dangerous piece of tech e (0)

Anonymous Coward | about a year and a half ago | (#41205901)

You need the scanner/stitcher present on the target system and running as root in order to do its job. And it needs to be propagated along with any virus. Obviously that invalidates that whole thing.

Yes, the scanner/stitcher would be no different than a LZH compressor or any other pre-processor of code. It would be a quite suspicious looking piece of code that malware scanners could identify and block.

Brain washing the victim OS - Zombifying (0)

Anonymous Coward | about a year and a half ago | (#41203999)

This sounds like a progression from Viral coding techniques to Parasitical... even Reverse Transcriptase like.. infecting the normal operations of the organism to coopt their function and realign their purpose so they serve different ends.

Anti-Mallware may just have to become more sophisticated.. more like traffic cops and begin to "interpret" the letter of the law as "acceptable conduct" or behavior as opposed to a well defined misbehavior

NBAR deep packet inspection has similar problems at the transport layer.. how do you interpret apparently normal behavior as undesirable, without looking further into the content of the objectives of the data.. or its actions. There's plenty of room at the "bottom" as well as at the "top" in which ot hide, to paraphrase Richard Feynman.

I'm sorry but this is retarded. (0)

Anonymous Coward | about a year and a half ago | (#41204151)

every piece of malware is going to make OS and library calls which constitute 'stiching together standard pieces of code'.
the code that does the stiching itself is going to have its own signature which can be searched for. DUH.

Frankenstein technique unnecessary (0)

Anonymous Coward | about a year and a half ago | (#41204575)

There are much easier ways to defeat virus signature searches.

Consider the assembly code of a virus. Between every opcode, insert an explicit jump to the next instruction. This bloats the program to circa twice the size and half the speed.

Then, add a routine that randomize the order of instructions, but updating the jumps to keep the code doing the same as before. You might need two of this routine, so one can be running and rearrange the other. We don't want a constant signature on the rearranging part either.

Now you have a virus that mutates all over, with no signature - but it keeps working. And if people start looking for code with too much jumps, make blocks with jumps every sixth instruction or so instead. Still reorganizable, but no longer much more jumps than normal. You may also do equivalency transforms - i.e. make the code change itself to do the same but using different registers/memory for the job . . .

New? (1)

dzfoo (772245) | about a year and a half ago | (#41204951)

Isn't this just one of the features of "return oriented programming," wherein the stack is manipulated to point to a set of addresses containing a sequence of instructions already in the binary (whether in executable code, or in data structures), that combined forms malicious code?

Re:New? (1)

gweihir (88907) | about a year and a half ago | (#41205081)

It is. But, just as this stuff, return oriented programming is not viable on its own. It is just used for the exploit code to get your real payload to execute.

Re:New? (1)

dzfoo (772245) | about a year and a half ago | (#41205391)

I thought that return-oriented programming was precisely to build a payload out of innocuous numeric data values by manipulating them into looking like op-codes.

          -dZ.

Re:New? (1)

gweihir (88907) | about a year and a half ago | (#41205413)

Return-oriented programming is an exploit-technique to open the door for the actual payload. It has nothing to do with hiding that payload. It does help to hide the exploit, as the actual attack is far smaller than in a conventional buffer-overflow, where a piece of code goes on the stack. But in both cases, once the privilege-escalation has been achieved, some other piece of code takes over.

So, hiding, yes, to a degree, but only of the exploit code, not of the actual malicious payload or the "running malware" if you want to call it that.

Not viable (1)

gweihir (88907) | about a year and a half ago | (#41205075)

This is not ordinary code where doing these small things is a relatively good indicator you can do larger things. The scanner itself cannot be done this way, was it needs to know what it is scanning for. While an interesting idea, this approach has nowhere near the power claimed.

So basically... (2)

AttyBobDobalina (2525082) | about a year and a half ago | (#41205613)

Computer "viruses" as we know them are really more like computer "bacteria", whereas this concept is a bit more like a real virus.

RNA-Protein-RNA (1)

10101001 10101001 (732688) | about a year and a half ago | (#41205815)

Instead of all the unnecessary complexity of making Frankenstein code, why not just borrow an idea from the biological world? Write your malware/virus/whatever as an RNA strand that is transcribed into runnable code. Each base pair is translated, at random, to a small set of synonymous functional code. Finally, the transcoder itself (also coded in RNA) is included. The interesting bit then is, when it comes time to do a duplication, the code does reverse transcription back into RNA (a non-trivial but not impossible task) and re transcribes itself again. The real difficultly, of course, is then anti-virus/malware could simply do the reverse transcription themselves and do RNA matching. But given how trivial it would be to randomize the base -> code translation at each step... :/ The only other thing would be to try to signature match for all possible permutations of the transcoder/reverse transcoder.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...