Hackers could evade most existing antivirus protection by hiding malicious code within ordinary text, according to security researchers.
One of the most common ways of hijacking other people鈥檚 computers is to use 鈥渃ode-injection鈥 attacks, in which malicious computer code is delivered to and then run on victims鈥 machines. Current security measures work on the assumption that the code used has a different structure to plain text such as English prose.
Now a team of researchers has highlighted a potential future theatre in the virus-security arms race by working out how to hide malware within English-language sentences.
Advertisement
of Johns Hopkins University in Baltimore, Maryland, and his colleagues developed a way to search a large set of English text 鈥 mostly composed of more than 15,000 Wikipedia articles and roughly 27,000 books from the online library 鈥 for combinations of words that could be used in code.
Their program highlighted the text to be used in the instruction set in bold, while leaving the sections to be skipped in plain text, as in the following example: There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union.鈥
CODE STANDS OUT
It鈥檚 not the first time the potential weakness has been recognised, but many computer security experts thought the rules of English word and sentence construction would make the task impossible.
In machine code 鈥 the raw code that microprocessor chips understand 鈥 combinations of characters not seen in plain text, such as strings of mostly capital letters, are required.
鈥淭here was not a lot to suggest it could be done because of the restricted instruction set [of machine code],鈥 said Mason. 鈥淎 lot of people didn鈥檛 think it could be done.鈥
John Walker, managing director of UK security consultancy , said the research highlighted a basic weakness in antivirus tactics, and that hackers would undoubtedly try to exploit it. 鈥淭here is no doubt in my mind that antivirus software as we know it today has gone well past its sell-by date,鈥 he said.
, a security and cryptology researcher at University College London, said malicious code in this form would be 鈥渧ery hard if not impossible to detect reliably鈥.
Shell game
Hackers call the part of a code-injection attack that is used to gain control of a vulnerable computer 鈥渟hell code鈥. Because this is usually written in machine code, Mason and colleagues dubbed their technique 鈥淓nglish shell code鈥.
They presented (PDF) at the in Chicago earlier this month, being careful to leave out some of their methodology to avoid helping malicious hackers.
鈥淚鈥檇 be astounded if anyone is using this method maliciously in the real world, due to the amount of engineering it took to pull off,鈥 said Mason. He added that he and his colleagues developed the proof of concept to highlight the weakness and to encourage the development of security measures before hackers worked out how to use similar techniques.