In an effort to stay one step ahead of cyberattackers, researchers at the University of Texas at Dallas created a monster. A new kind of malware, named Frankenstein, avoids detection by repurposing trusted host programs and using methods differing from those used by traditional malware.
"We wanted to build something that learns as it propagates," said Dr. Kevin Hamlen, associate professor of computer science at UT Dallas who created the software along with his doctoral student Vishwath Mohan, Science Daily reported. "Frankenstein takes from what is already there and reinvents itself. Just as [author Mary] Shelley's monster was stitched from body parts, our Frankenstein also stitches software from original program parts, so no red flags are raised. [The malware] looks completely different, but its code is consistent with something normal.”
Most so-called "metamorphic malware" attempts to avoid detection by mutating semi-randomly, a method which lends itself to detection once anti-malware software manufacturers determine the mutation algorithm being used. The creators of Frankenstein suggest that using code from known, non-malicious programs could allow malware to not only go undetected, but become white-listed.
Hamlen and Mohan's research, which was supported by the National Science Foundation and Air Force Office of Scientific Research, could be used to improve existing anti-malware software and also be used for offensive cyberoperations, according to a research paper published online as part of a recent USENIX Workshop on Offensive Technologies.
The next stage of research, the researchers said, will include a more comprehensive system and experiments to verify and extend initial research results. Technical details about the research can be found here.