AI Driven Malware: DeepLocker at DEFCON

Discussion in '[H]ard|OCP Front Page News' started by Kyle_Bennett, Aug 16, 2018.

  1. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    51,409
    Joined:
    May 18, 1997
    We get some firsthand information from our security man on the ground from DEFCON. Thanks to SCHTASK for the writeup!

    Of the many briefings I attended at the Blackhat / Defcon conferences of last week, the Deeplocker Briefing presented by IBM resonated with me the most. AI driven technology has been a mainstay marketing point for most "Next Generation" security platforms. If I had a nickel for everytime I heard "Deep Learning / AI driven security" in the last two years I'd be a rich man.

    But what happens when the tables are turned and AI is used for malicious means? Researchers at IBM have an idea... Introducing: DeepLocker.

    Full story on the news page......


    Check out the video.
     
    Last edited: Aug 16, 2018
  2. Incontentia Buttocks

    Incontentia Buttocks [H]Lite

    Messages:
    85
    Joined:
    Aug 1, 2016
  3. HeadRusch

    HeadRusch [H]ard|Gawd

    Messages:
    1,035
    Joined:
    Jun 8, 2007
    Not worried, I'll see that enormous glowing key coming a mile away. #FutureProofed.
     
  4. theplaidfad

    theplaidfad Lurker

    Messages:
    1,040
    Joined:
    Apr 24, 2008
    Awesome. This combined with our obsession with handicap access will be the end. Wait... can robots climb stairs yet?
     
    Kyle_Bennett likes this.
  5. The fact wannacry wasn't found means the signature used to detect wannacry was altered so that it wouldn't found. This makes it a new variant. It is entirely possible that the payload was randomly encrypted (done with each distribution to hide execution) but in the end anti-virus firms look for decoders and analyzer the fuzzed code as it comes out of encrypted payload.

    So all they effectively did at best was create a wanna cry variant that will be caught once the new decrypted payload gets intercepted by a new signature.
    *sighs*
     
    Kyle_Bennett likes this.
  6. velusip

    velusip [H]ard|Gawd

    Messages:
    1,535
    Joined:
    Jan 24, 2005
    IBM will probably get blamed/fined for realworld examples in the near future. Not that they should, but that people are nuts.
     
  7. Schtask

    Schtask Limp Gawd

    Messages:
    442
    Joined:
    Nov 29, 2011
    Not exactly. You can change a malicious signature just by XORing some pointers...You don't neccessarily create a new variant when doing that as the functionality remains exactly the same. To boil it down even further... The payload doesn't matter as it is not actively producing a behavior on the target. Signatures, hashes, memory analysis, file analysis, behavior...None of that matters because the payload is hidden within a benign carrier and locked behind trigger conditions that are nearly impossible to guess. Not just that, but the DNN actively protects the payload so that it doesn't get detected. As far as AV and the rest of the monitoring world are concerned, it's just an app behaving like an app. Does an AV continuously scan "known good" applications that are already running? Some do. Many don't to save resources.

    Outside of file hashing (easily defeated) how would an AV flag a behavioral check on a payload if the payload isn't running at all? If the malware is looking for a specific persons face before unlocking the payload, how would an anti-virus know the trigger condition? It wouldn't. Neither would a malware reverser. Sandbox wouldn't get it either unless the person running it was the target to begin with. There's no memory to analyze because the payload isn't launched until a trigger condition is met. There's no file drops, registry changes, or new processes until the trigger condition is met either. Now a behavioral AV like Cylance could detect a malicious payload after Deep Locker executes it for sure....but if you're using an AI driven malicious payload obfuscation tool, why would you waste it on a payload that has identifiable and previously recorded signatures? Awesome for zero day attacks though for sure. Reversers would be tearing out their hair.
     
    Last edited: Aug 16, 2018
  8. i agree with you there are simple modifications to mask the signature. However there are static elements to the code which can have a signature attached once it is detected.

    And when anti virus apps have heuristic analysis of running apps is on, they do scan everything the app does. Just because it's white-listed during the scan and download doesn't mean it's forgotten. Anti viruses pay attention especially when there seems to be a large number of file accesses to unrelated files. When an app executes it pays attention to what services it uses, and which directories it accesses. If it's an unknown app, it's operating characteristics get logged. If a newly installed app Y tries to access services and directories that are already covered by app X, then it gets flagged and sent for analysis. Especially if said app tries to override certain core features.

    To combat against this and wanna cry variants, anti-virus firms like BitDefender auto lockdown certain folders you select and new apps can't access them until you give the thumbs up. The reason I know this is because Roblox Studio won't get access to my documents folder as they keep installing new variants and Bit Defender goes "I can't allow you to do that Dave" (Much to my young son's frustration when he's scripting something and trying to make movies)
     
    Last edited by a moderator: Aug 16, 2018
  9. modi123

    modi123 [H]ardness Supreme

    Messages:
    4,691
    Joined:
    Sep 6, 2006
    I'll wait for the jilted lover variant of the virus.. so anytime someone's ex/infatuation/declined-a-date walks past a smart phone camera, or laptop, the payload triggers, flashes revenge porn, blares music, and crashes the laptop. A ripple of chaos as they go about their lives. Of course that's excluding feeds from ATMs, home security, the government, trail cams, toasters, fridges, game systems, and secure access doors.
     
  10. Schtask

    Schtask Limp Gawd

    Messages:
    442
    Joined:
    Nov 29, 2011
    Right, but what I'm saying is this. Deeplocker could hide malware in Discord. That version of Discord gets downloaded 20,000,000 times. Maybe it gets pushed as an update. The point being...Those versions of Discord will be completely benign. Nothing will be different until a trigger condition is met. See what I'm saying? The trigger condition could be a specific person or machine. There are no behaviors or samples to analyze until that trigger condition is met. AV detection should NEVER be relied upon to state a system is clean. That's why most IR plans stipulate infected machines are nuked from orbit.
     
    Deleted member 93354 likes this.