Open-Source Tool Can Disable Most Remote-Controlled Malware Automatically

Cybersecurity researchers at Georgia Tech have created a new tool that removes malware from infected devices, by turning the malware’s own systems against it.

The tool, called ECHO, uses the malware’s built-in update features to shut it down, stopping remote-controlled networks of infected machines, known as botnets, as first reported by Tech Xplore (TX).

ECHO’s open-source code is now available on GitHub and has shown success in 75% of tested cases. The researchers applied their tool to 702 Android malware samples and achieved successful removal of infections in 523 cases, as explained in their paper.

“Understanding the behavior of the malware is usually very hard with little reward for the engineer, so we’ve made an automatic solution,” said Runze Zhang, a PhD student at Georgia Tech, as reported by TX.

Botnets have been causing problems since the 1980s and have grown more dangerous in recent years. The malware Retadup spread across Latin America in 2019, according to TX. The threat was eventually neutralized but it required substantial time and effort to do so.

“This is a really good approach, but it was extremely labor-intensive,” said Brendan Saltaformaggio, associate professor at Georgia Tech, as reported by TX. “So, my group got together and realized we have the research to make this a scientific, systematic, reproducible technique, rather than a one-off, human-driven, miserable effort.”

TX reports that ECHO works in three steps: it analyzes how the malware spreads, repurposes that method to send in a fix, and then pushes out the code to clean the infected systems. It’s quick enough to stop a botnet before it causes major damage.

“We can never achieve a perfect solution,” said Saltaformaggio, as reported by TX. “But we can raise the bar high enough for an attacker that it wouldn’t be worth it for them to use malware this way.”