Dr. Frankenstein’s Malware (and the theory behind sleephacking)

Researchers have develped malware that hides itself by not existing. Or at least in the conventional sense: it off-loads most of the computing to bits of code conveniently left lying about by other programs on the system. I don’t quite understand how it finds these bits, but it seems to be capable of stitching itself together from different program-parts every time it runs.

Sleephacking: First off, a tip — your mind will work a lot better if you use an alarm clock no more than every other day, or kill the thing entirely. This dovetails nicely with avoiding 9-5 day jobs in the name of mental health.

Right, so why should putting a slowly-pulsing electromagnet near my head at night, or slowly-flashing lights in front of my face, reduce the amount of sleep I need at night?

The theory is the same as that which underlies polyphasic sleep — that lifehacking near-cliché associated with Buckminster Fuller and people who wear Vibram shoes.

Basically, polyphasic sleep uses engineered sleep deprivation to force the body to enter slow-wave sleep faster and more efficiently[1]. By cutting out the unnecessary bits of sleep, you need less per day — down to a theoretical minimum of 3 hours a day.

Unfortunately, polyphasic sleeping /sucks/. Try it, you’ll see why “allow the detainee no more than two hours of sleep at a time” is a military interrogation technique.

That’s where the technical wizardry comes in. If I can use technical means to push my brain into slow-wave sleep ASAP, there’s no need for orange-jumpsuit tactics.

[1] http://www.supermemo.com/articles/polyphasic.htm


“A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. It makes malware more difficult to detect by creating a Frankenstein version.[…]

The idea is related to Return Oriented Programming (ROP). This builds a program from fragments of code already in the address space which end in a return. This allows an exploit which has taken over the stack to do anything it cares to without having to install new code or overwrite existing code so potentially triggering a hardware detection mechanism.

The fragments of code that ROP uses are called “gadgets” and each gadget performs a simple task that can be assembled into something that performs effective computation. It isn’t difficult to show that it doesn’t take much loaded code to derive enough gadgets to form a Turing complete set.

The same idea is used by Frankenstein, only in this case the code can be on disk or in memory. Also in this case the gadgets don’t have to end in a return as they are going to be stitched together rather than run from the stack.

A set of logical specifications of what a gadget has to do is used to search for program fragments that meet the specification. Each gadget is a short sequence of machine instructions that performs a simple task, such as loading a register, but also does lots of other things that are side effects and not part of the gadget’s task. Each specification accumulates a range of gadgets that do the same thing but with different side effects.

A list of what each gadget also effects, or “clobbers”, is also kept so that gadgets can be put together in a way that doesn’t alter their main purpose, i.e. so that there are no unwanted interactions.

The resulting program achieves the target behavior but it is stitched together from gadgets that do all sorts of irrelevant things on the way. Two such realizations of the same program would therefore look very different using different gadgets that do the same basic tasks. This is a form of dynamic obfuscation that wipes out any hope of finding a stable signature, even though the resulting programs all do the same thing.

Existing mutational techniques for hiding malware generally only use techniques such as XORing a fixed string with the code or swapping blocks of code around. The Frankenstein approach builds a new “body” from parts scavenged from existing programs and so creates something new each time.

Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages – the question is, is it already in use?”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: