A team of researchers from Ruhr University in Bochum, Germany, has created a new kind of cyber-attack where malicious code is able to be sent in parallel with a legitimate software download without modifying any code.
The new attack binds the malware to free and open source software, because there are fewer code signing and integrity checks in place for such downloads. It’s unusual in the fact that the code isn’t injected into the software, but rather bound to it. The researchers explain what that means:
“Since the original application is not modified one has the advantage that the malicious code can be of a larger size, and thus provide more functionality. Then, upon starting the infected application the binder is started. It parses its own file for additional embedded executable files, reconstructs and executes them, optionally invisible for the user.”
What’s more, anyone using such a technique would only need to control a single network point between the download server and the client—which means simple social engineering or network redirection could be enough to make it a reality. And the binding technique, which means that the original file is unaltered, means it wouldn’t need to be buffered—avoiding the raising of suspicion.
There is some hope, though. The researchers point out that VPNs and HTTPS could be used to flag this kind of suspicious activity that current malware detection systems may miss. And remember that, for now, this remains a research project.