By hunting through benign bits of code on your computer, the Frankenstein virus can turn itself into something rather nasty

What could possibly go wrong? (Image: SNAP/Rex Features)

MARY SHELLEY’S Victor Frankenstein stitched together the body parts of ordinary individuals and created a monster. Now computer scientists have done the same with software, demonstrating the potential for hard-to-detect viruses that are stitched together from benign code pilfered from ordinary programs.

The monstrous virus software, dubbed Frankenstein, was created by Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas. Having infected a computer, it searches the bits and bytes of common software such as Internet Explorer and Notepad for snippets of code called gadgets – short instructions that perform a particular kind of small task.

Previous research has shown that it is theoretically possible, given enough gadgets, to construct any computer program. Mohan and Hamlen set out to show that Frankenstein could build working malware code by having it create two simple algorithms purely from gadgets. “The two test algorithms we chose are simpler than full malware, but they are representative of the sort of core logic that real malware uses to unpack itself,” says Hamlen. “We consider this a strong indication that this could be scaled up to full malware.”


Frankenstein follows pre-written blueprints that specify certain tasks – such as copying pieces of data – and swaps in gadgets capable of performing those tasks. Such swaps repeat each time Frankenstein infects a new computer, but with different gadgets, meaning that the malware always looks different to antivirus software, even if its ultimate effects are the same.

The research was part-funded by the US air force, and Hamlen says that Frankenstein could be particularly useful for national security agencies attempting to infiltrate enemy computer systems with unknown antivirus defences. “It essentially infers what the [target computer’s] defences deem permissible from the existing files on the system to help it blend in with the crowd,” he says.

Existing malware already attempts to randomly mutate its code to some extent, but antivirus software can still recognise them as something nasty.

Frankenstein is different because all of its code, including the blueprints and gadget-finder, can adapt to look like parts of regular software, making it harder to detect. Just three pieces of such software are enough to provide over 100,000 gadgets, so there are a huge number of ways for Frankenstein to build its monster, but it needs blueprints that find the right balance. If the blueprint is too specific, it leaves Frankenstein little choice in which gadgets to use, leading to less variation and making it easier to detect. Looser blueprints, which only specify the end effects of the malware, are too vague for Frankenstein to follow, for now.

This malware is different because all of its code can adapt to look like regular software

The researchers presented the work at the USENIX Workshop on Offensive Technologies in Bellevue, Washington, this month.

Marco Cova at the University of Birmingham, UK, says that fighting Frankenstein could be a challenge for current antivirus software that relies on identifying various distinctive signatures of malware, but some defence is possible. Antivirus software could either look for signatures that match sequences of gadgets, or they would look at the behaviour of a program, rather than its specific code. “If the definition of maliciousness is ‘a program reads my keystrokes and sends them to a remote website’ then you don’t care about the specific byte sequences that implement this behaviour,” Cova says.

Unstoppable gadget cannibalism Defending against malware able to build itself from other bits of code is never easy. Last month, Microsoft released an updated version of its Enhanced Mitigation Experience Toolkit (EMET), which provides extra protection for some PC users. It features a new defence designed to stop malware from executing other software’s code, just as Frankenstein does (see main story). It works by wrapping key software in a layer of code that checks whether parts of the software are being repurposed. Microsoft paid $50,000 in a recent security prize to the creator of the technique, but just two weeks later an Iranian security researcher called Shahriyar Jalayeri claims to have bypassed EMET’s protective wrapper.