Frankenstein: Stitching Malware from Benign Binaries

Discussion in 'malware problems & news' started by Baserk, Aug 20, 2012.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Apr 14, 2008
    From Usenix site; Vishwath Mohan en Kevin Hamlen, from University of Texas, will give a presentation this month at Usenix woot/workshop on offensive technologies;

    This paper proposes a new self-camouflaging malware propagation system, Frankenstein, that overcomes shortcomings in the current generation of metamorphic malware.
    Specifically, although mutants produced by current state-of-theart metamorphic engines are diverse, they still contain many characteristic binary features that reliably distinguish them from benign software.
    Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses.
    This makes it more difficult for featurebased malware detectors to reliably use those byte sequences as a signature to detect the malware.
    The instruction sequence harvesting process leverages recent advances in gadget discovery for return-oriented programming. Preliminary tests show that mining just a few local programs is sufficient to provide enough gadgets to implement arbitrary functionality.
    link / paper PDF link

    I'm curious, malware raking your progs for extended functionalities...
    Last edited: Aug 20, 2012
Thread Status:
Not open for further replies.