Frankenstein: Stitching Malware from Benign Binaries


Vishwath Mohan and Kevin W. Hamlen, University of Texas at Dallas


This paper proposes a new self-camouflaging malware propagation system, Frankenstein, that overcomes shortcomings in the current generation of metamorphic malware. Specifically, although mutants produced by current state-of-theart metamorphic engines are diverse, they still contain many characteristic binary features that reliably distinguish them from benign software.

Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses. This makes it more difficult for featurebased malware detectors to reliably use those byte sequences as a signature to detect the malware. The instruction sequence harvesting process leverages recent advances in gadget discovery for return-oriented programming. Preliminary tests show that mining just a few local programs is sufficient to provide enough gadgets to implement arbitrary functionality.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {179511,
title = {Frankenstein: Stitching Malware from Benign Binaries},
booktitle = {6th {USENIX} Workshop on Offensive Technologies ({WOOT} 12)},
year = {2012},
address = {Bellevue, WA},
url = {},
publisher = {{USENIX} Association},
month = aug,

Presentation Video

Download Video

Presentation Audio


0 dislikes