{"id":1759,"date":"2011-09-06T18:58:25","date_gmt":"2011-09-06T22:58:25","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/?p=1759"},"modified":"2021-08-03T22:07:28","modified_gmt":"2021-08-04T02:07:28","slug":"malware-in-text","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/malware-in-text\/","title":{"rendered":"Malware in Text"},"content":{"rendered":"

\"\"A team of security researchers has engineered a way of hiding malware in sentences that read like English language spam. The research led by\u00a0Dr. Josh Mason<\/a> of Johns Hopkins University<\/a> along with Dr. Sam Small of Johns Hopkins, Dr. Fabian Monrose of the University of North Carolina<\/a>, and Greg MacManus of iSIGHT Partners<\/a> outlined the threat in a paper English Shellcode<\/a> <\/em> (PDF<\/a>) presented at the 2009 ACM<\/a> Conference on Computer and Communications Security<\/a>. According<\/a> to the UK’s<\/a> Computing<\/a>,<\/em> the paper shows hackers could evade anti-virus protection by hiding malicious code<\/a> in sentences that read like English language spam<\/p>\n

\"alphanumeric<\/a>The article says that attackers could develop a tool that would be the next step in the hacking and virus arms race. Hackers could hide alphanumeric shellcode<\/a> in valid files which would activate the malicious payload of a code-injection<\/a> attack. This attack vector could give attackers control of system resources, applications, and data on a compromised computer.<\/p>\n

The researchers report they can generate English shellcode in less than one hour on standard PC hardware. The text in bold is the instruction set and the plain text is skipped. \u201cThere is a major<\/strong> center of economic activity, such as Star Trek<\/strong>, including The Ed Sullivan Show<\/strong>. The former<\/strong> Soviet Union. International organization participation.\u201d<\/p>\n

The good news, Dr. Mason said that the widespread use of this attack vector is limited because the alphanumeric character set is much smaller than the set of characters available in Unicode and UTF-8<\/a> encodings. This means that the set of instructions available for composing alphanumeric shellcode is relatively small. \u201cThere was really not a lot to suggest it could be done because of the restricted instruction set,<\/em>\u201d said Dr. Mason. Long strings of mostly capital letters, for example, would be very suspicious.<\/p>\n

Computing <\/em>claims the work is a breakthrough. Current network security techniques work on the assumption that the code used in code-injection attacks, where it is delivered and run on victims\u2019 computers, has a different structure to non-executable plain data, such as English prose. If an attacker challenge’s the assumption that executable code structure is different from non-executable data malware would be almost impossible to detect.<\/p>\n

Dr. Nicolas T Courtois<\/a>, an expert in security and cryptology at University College London<\/a>, said malware deployed in this way would be \u201chard, if not impossible, to detect reliably.<\/em>\u201d The research is a proof of concept, but Dr. Mason doubts any hackers are using the technique to disguise their code. \u201cI’d be astounded if anyone is using this method in the real world owing to the amount of engineering it took to pull off,<\/em>\u201d he said. \u201cA lot of people didn’t think it could be done.<\/em>\u201d<\/p>\n

Professor John Walker, managing director of forensics consultancy Secure-Bastion<\/a>, argued the research highlights the flaws in the anti-virus community’s approach to security exploits. \u201cThere is no doubt in my mind that anti-virus software<\/a> as we know it today has gone well past its sell-by date,<\/em>\u201d he said.<\/p>\n

Related articles<\/h6>\n