Chameleon code gives hackers advantage
By Duncan Graham-Rowe The arms race between malicious hackers and the guardians of computer networks looks set to intensify with the development of “chameleon code”. The new weapon could leave networks defenceless as malicious hackers gain access undetected. Hackers routinely break into networks using “scripts”, instructions they send to the network to allow them to issue commands remotely. The hackers’ new tool, known as polymorphic code, camouflages scripts so they can evade detection. Computer network managers install software packages known as intruder detection systems to spot hackers. IDSs use a number of tricks to detect trespassers, such as scanning network activity to spot known characteristics, or signatures, of hacking scripts. IDS software is regularly updated to recognise the signatures of new scripts as they are developed. But according to K2, the Vancouver-based hacker who developed a version of polymorphic code to highlight the weaknesses of networks, there is no way to defend against camouflaged script. “Not the way current systems are designed,” he says. K2’s camouflaging software can take the same script and make it look different every time it is used. This makes it impossible for network managers to build up a signature profile of the script. “Every execution will be unique,” says K2. “It doesn’t quite change the script because each line of code will equate to the same function.” It’s the equivalent of changing 4+1 to 2+3. They both equal 5 but look completely different to a signature-recognising program, he says. Another technique used by the camouflaging software is to add lines of dummy code that don’t affect the function of the script but change its appearance. “I have tried it out on lots of systems,” K2 says. All the major IDS software was unable to detect it. Presenting his polymorphic code at DEFCON, the annual hackers’ convention in Las Vegas this week, K2 told New Scientist there is a good chance that hackers are already using similar techniques to gain access to company networks. One saving grace is that most hackers won’t have the skills needed to cause serious damage using such code. Network sentinels may have to change tack and look for behaviour profiles rather than individual types of script, says Peter Sommer, a computer security expert at the London School of Economics. He has never heard of polymorphic code being used, but the idea is familiar in computer security circles. It’s just been a question of when it would arrive, he says. “But then how do you know about something that isn’t detectable?