AI Malware vs AI Anti-malware

AI isn't just for the good guys anymore

Using the known fact that malware developers are always one step ahead of the security industry, it is just a matter of time till AI malware will be able to bypass AI anti-malware.

Additionally, we can "thank" the AI security developers for again creating another security "Genie out of the bottle" situation with AI already being used to greatly improve fingerprinting activities against conventional security software:

http://www.csoonline.com/article/31...s/ai-isnt-just-for-the-good-guys-anymore.html
​

 

If the hyper-visor isn't being used then it's simple, just use system calls and continue doing whatever you were doing to bypass the analysis... and if the vendor doesn't hook for all modules but only targets the Windows one already mapped in memory (e.g. "ntdll.dll", "NtTerminateProcess") then just copy ntdll.dll -> rename it -> manual map it into your sample -> get address dynamically from there

Unless they patch the kernel but even on x86 I highly doubt they will do this these days (and they can't on x64 without HV)

and I bet you products like CylancePROTECT won't auto-block new driver loads -> dump an empty *.sys file -> fill in the bytes with NtWriteFile -> load the driver -> now do whatever you want lol

these "next-gen" products are a false sense of security IMO

IMO Emsisoft, ESET, Avast or Kaspersky is more useful

1. Don't auto allow programs to run with admin privileges, make sure you do your research properly
2. Don't handle attachments from e-mails from unknown senders
3. Keep using brain.exe and let your AV be a "backup" friend say on case

If you get infected somehow -> use a clean backup.. if not, format not just reinstall the OS -> problem solved

 

My point in posting was this is another example of new technology being publically released without fully assessing the negative implications of it.

 

I don't see how "next gen" products give a false sense of security. Keep in mind, companies like CrowdStrike and SentinelOne also market next gen AV's, which are basically AV's with advanced HIPS/behavior blocking. I'm not sure yet about this new AI hype. I think it would be foolish to only rely on AI, like Cylance is apparently doing.

Yes I agree, but about point 1: All app installers need admin rights, otherwise installation will fail.

http://www.csoonline.com/article/31...ype-skepticism-at-rsa-cybersecurity-show.html

 

Yes, but in point 1 I said to do your research properly... So if you do, then you won't be allowing an installation to non-genuine software.

 

Glad to see that "sanity" prevailed at the RSA conference.

 

Exactly, but why would you download non-genuine software in the first place? Plus, don't forget that malware can also do damage without any admin rights.

 

I think you're forgetting that us people here know what we are doing but average users don't... that is why people get infected in the first place.

Yes I know malware doesn't require admin rights but the more dangerous ones will, such as ones that use device drivers, overwrite MBR, inject into other admin-running processes, etc

for example if you wanna inject into an elevated process you gotta be an elevated process as well

 

My point is that if you do your research, you will normally speaking not run malware. So it doesn't matter if the downloaded app needs admin rights or not, after all it's already deemed safe. Like you said, normal users don't understand why giving admin rights might be dangerous, but they do know that if they don't, then software won't install.

 

I think you're forgetting that us people here know what we are doing but average users don't... that is why people get infected in the first place.

Therefore inexperienced people can be click happy and not do their research -> infection

 

Yes but weren't your tips meant for average users? I'm just saying, it would be better to say: don't run apps that you don't trust. Because even without admin rights, malware can still do damage.

 

My tips were meant for anyone who needs them, not for anyone specific. Yes master, "don't run apps that you don't trust" is much better. Now let me point you to another quote:

 

LOL, I'm glad you're agreeing with me.

 

What can you expect?

You seem to be a very knowledgeable and experienced person

 

Well, you didn't have to agree with me, but I think a lot of people are way too focused about warning only about the dangers of admin rights, while malware can also do damage on a LUA account, see link. But anyway, back to the topic: I'm not that afraid of malware using AI, at the end of the day they will always have to perform certain suspicious behavior, and this will be caught by HIPS.

http://hexatomium.github.io/2016/02/16/lua-powers/

 

Did anyone think different?
AI in my opinion will not be up to snuff for a long long while.

 

This will be like Ultron vs Jarvis in Iron Man.

 

If you know what you are downloading, you won't need your HIPS (or any additional security solutions)...just saying...

 

You never know what your downloading. This is the "wild west" for now.

 

Go to software website, look or ask for the checksum (hash value), compare with the one you downloaded. simple as that. No need be a genius.

 

I see this, used like the saying "its gone viral" Don't trust.

 

In fact before downloading anything from the net, some basic research have to be made, now i can understand it is not practical and most people will be lazy to do so; but if you get infected by not doing it, just blame yourself.

 

It's indeed possible to stay safe without any security tools, but why take the risk. And HIPS is for the paranoid who don't fully trust apps even though they are "most likely" to be safe. I always like to know about certain modifications that are made to the system, or about dangerous behavior. Of course, HIPS can get annoying, so that's why I have disabled certain features, because it doesn't make sense to alert about certain things, the same goes for UAC.

 

BTW, to give some examples of possible dangerous behavior, let's take EagleGet and Maxthon as example. The first wants to install a driver, this might be risky behavior for a download manager, it can be used to bypass the firewall for example. And Maxthon tries to modify network hooks inside browser memory, this could be used to manipulate network traffic, and to alter websites. These are both legitimate tools AFAIK, but for me it's a bit too risky, so I have chosen not to use them.

http://www.eagleget.com/
http://www.maxthon.com/

 

And here are some reminders why to never blindly trust apps, even when they are deemed safe. With HIPS, you could have easily blocked the malware that's described in link 2 and 3. I believe the attack in link 1 is much harder to block, because once you give some app outbound access, it can transfer data to any computer/server.

http://www.computerworld.com/articl...hiver-steals-your-passwords--and-cubocc-.html
https://kc.mcafee.com/corporate/index?page=content&id=PD24966
http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/