A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. It makes malware more difficult to detect by creating a Frankenstein version.
Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have certainly proved that the method is viable.
And who knows, it might even be out there in the wild. After all, one of the main advantages of the method is that it hides malware more effectively.
The idea is related to Return Oriented Programming (ROP). This builds a program from fragments of code already in the address space which end in a return. This allows an exploit which has taken over the stack to do anything it cares to without having to install new code or overwrite existing code so potentially triggering a hardware detection mechanism.
The fragments of code that ROP uses are called "gadgets" and each gadget performs a simple task that can be assembled into something that performs effective computation. It isn't difficult to show that it doesn't take much loaded code to derive enough gadgets to form a Turing complete set.
The same idea is used by Frankenstein, only in this case the code can be on disk or in memory. Also in this case the gadgets don't have to end in a return as they are going to be stitched together rather than run from the stack.
A set of logical specifications of what a gadget has to do is used to search for program fragments that meet the specification. Each gadget is a short sequence of machine instructions that performs a simple task, such as loading a register, but also does lots of other things that are side effects and not part of the gadget's task. Each specification accumulates a range of gadgets that do the same thing but with different side effects.
A list of what each gadget also effects, or "clobbers", is also kept so that gadgets can be put together in a way that doesn't alter their main purpose, i.e. so that there are no unwanted interactions.
The resulting program achieves the target behavior but it is stitched together from gadgets that do all sorts of irrelevant things on the way. Two such realizations of the same program would therefore look very different using different gadgets that do the same basic tasks. This is a form of dynamic obfuscation that wipes out any hope of finding a stable signature, even though the resulting programs all do the same thing.
Existing mutational techniques for hiding malware generally only use techniques such as XORing a fixed string with the code or swapping blocks of code around. The Frankenstein approach builds a new "body" from parts scavenged from existing programs and so creates something new each time.
Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages - the question is, is it already in use?