IE 11 is not supported. For an optimal experience visit our site on another browser.

'Frankenstein' virus could assemble itself from app snippets

Frankenstein
Boris Karloff as Frankenstein in 1931Universal / Getty Images
Boris Karloff publicity portrait for 'Frankenstein', 1931Archive Photos / Universal / Getty Images

Many malware and viruses can be identified by detection software because of known bits of malicious code. But what if there was a virus compiled from little bits of programs you already had installed? That's just what two security researchers are looking into.

Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas are interested in how malware disguises itself in order to propagate more widely. After all, with virus detectors and operating systems getting frequent updates, any positively identified virus will be destroyed on sight around the world soon after.

Malware authors and security experts have tried different ways to camouflage malicious code, like encrypting it or adding garbage data to confuse the scanners. But Mohan and Hamlen take it a step further: their virus builds itself out of pieces your computer knows to be safe — bits of applications like your word processor, image editor or Web browser.

Appropriately enough, they call it Frankenstein, and although right now it's still just a proof of concept, it's an indication of one avenue hackers might take in the future. Why bother sending out a whole application stuffed full of code that could be identified as bad news when you can just send a "blueprint" of what it needs, and let it assemble itself on-site, as it were?

Their Frankenstein is a "toy" version, which means it does not propagate itself onto other computers, but it can make variants of itself by stealing different code from different programs. That means that every "mutant" version it creates of itself will be significantly different, but still check out when looked at piece by piece for suspicious functions. And there's no shortage of the snippets of code, which they call "gadgets." As they remark in the paper describing their work:

The results show that even with the limited capacity of our prototype, 2–3 binaries are sufficient to bring the number of gadgets above 100,000. On average we discovered about 46 gadgets per KB of code, finding approximately 2338 gadgets per second.

In other words, just a few basic applications rendered thousands of pieces to use. That many spare parts could keep the virus scanners busy for quite some time, though there is always the risk that they could be trained to look for the "blueprint" instead of the resultant patched-together virus. But that too could be made to look legitimate.

Mohan and Hamlen hope that being aware of camouflaging systems like this will make virus detection stronger and better; after all, if they didn't invent it, some less well-meaning person might have instead, and it would be at large instead of in a paper.

The research was supported by Air Force and National Science Foundation grants. The paper, "Frankenstein: Stitching Malware from Benign Binaries," is available for free download here, as well as the slides from Mohan and Hamlen's presentation at the USENIX security workshop.

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc .