sys·ad·min·ol·o·gy [sis-ad-mih-nol-uh-jee]


  1. The scientific study of system administration and related phenomena.

Sunday, 6 January 2013

It's Alive! It's Alive! Say Hello To The Frankenstein Virus

Computer viruses don't need to carry malicious payloads any more. They just need the ability to use parts from other programs.

In research funded by the US force Kevin Hamlen and Vishwath Mohan have written a virus that actually constructs itself by re-using bits of code already on the infected pc. The programs they reap these instructions from, dont even have to be malicious in themselves!
A key component of most malware these days is a connection (normally via port 80) to a cluster of C&C (Command and Control) servers from which they get their instructions, to log key presses, turn on web cams, or just hit a url. This functionality can of course, be found in Internet Explorer! 

Each discrete bit of code is called a gadget. By combining gadgets, the Frankenstien virus is able to create simple malware. Every time the virus infects a new computer, the gadgets are changed, while keeping the overall functionality the same.

In fact Hamlen and Mohan showed that they could just three pieces of legitimate software is enough to provide 100,000 gadgets. This presents a major problem for existing virus detection techniques, as they currently look for signatures in a programs code to determine whether or not a program is malicious.
Previous viruses have and do attempt to change themselves to avoid detection, but never before have they done so in such a sophisticated way.

That said, defence against a Frankenstein virus is not impossible. Anti virus programs could search for a series of gadgets "stuck together" or take a more heuristic approach. E.g. if the definition of a virus is something like "It remembers what I type in and sends it to a web site" then the specifics of how it is done no longer matter.

Heuristic matching has been around for some time, but is still too experimental to be relied on with out signature based detection backing it up.

No comments:

Post a Comment