AI quickly cooks malware that AV software can't spot

Discussion in 'malware problems & news' started by Minimalist, Jul 31, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://www.theregister.co.uk/2017/07/31/ai_defeats_antivirus_software/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    While that percentage amount is a concern, I wouldn't resort to "throwing out the baby with the bath water" because of it.

    What would be more illuminating are statistics on the conventional AV hack engines being used and their rate of success. Especially against generic/Yara signatures and the like.
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, Ai is pretty amazing, although it will never be perfect... that is just the nature of Ai. I mean, do YOU make the correct decision every time? Ai does not either.

    Anyone who spends the time to research, test, and compare Ai to traditional engines, will quickly understand that traditional engines do not hold a candle to Ai... which is why most traditional engines are implementing Ai as well. When you combine the two, it is an optimal result. But either way, you will never be able to convince me that the computer should not be locked when it is at risk ;).

    Apparently AppGuard has a new Ai (from what I understand from their website). Although, I do not see how it could possibly much different from the other Ai vendors, since we are all working with the EXACT same features, and all that really matters is the algo. Although, I have been wrong before, hehehe, so they might have come up with something super cool, and I am excited to see it ;).
     
    Last edited: Aug 4, 2017
  4. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    AppGuard has no AI. The "AI" on their website refers to what AppGuard can currently protect. :)
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Bummer, I was looking for a breakthrough in Ai ;). Not a cheap reference to an advanced technology that they would like to take credit for, without doing the hard work.

    Now that you mention that, and now that I look closer... I also was unaware that "AppGuard is the only solution that prevents breaches from both known and unknown cyber threats."... I will be sure to fix that in the next version of VS ;). Especially when there are many youtube vids that suggest otherwise.

    Sorry, I was mesmerized by the powerpoint graphics... they were actually pretty cool. Seriously, the graphics are quite cool.
     
    Last edited: Aug 4, 2017
  6. guest

    guest Guest

    Ai-based malware won't change a damn thing to people using SRP/anti-exe; they still won't being able to execute unless they go fileless, then apps possessing memory protection will hamper them.

    I finally finish to update my policies to block any instance of the traditional used processes by malware (rundll32, powershell, etc...) anywhere on my system, they can't run without i allow them in case by case basis.
    I also blocked some particular dlls often used by fileless malwares (i.e: those running powershell without Powershell.exe)
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Per Endgame's technical director:
    https://www.forensicmag.com/news/20...alware-agents-could-evade-ai-security-systems
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah... there a lot of misconceptions when it comes to Ai malware engines. The way I think of it is this... when you are about to execute a file you have never executed before, you most likely look at the digital signature first, because it is one of the best indicators on the maliciousness of a file. So what Ai does is it examines the 300+ indicators (features) of a file (including several digital signature features), and automatically informs the user whether the features match features of a benign or malicious file better. So while the algo is magic (truly, it is magic... I have witnessed how much more intelligent VoodooAi has become in the last year or so), the concept is not magic... it is very simple. Which is the way it should be, because simple things always work better.

    So Ai engines will never be perfect, but it is and extremely valuable file insight tool... it is basically a "super digital signature" file insight indicator.

    But yeah, SRP/AE's will never be bypassed as a result of Ai malware. I am confused on your fileless point, simply because I have no idea what role memory protection plays in fileless malware... the item is either allowed or it is not. When you said "they can't run without i allow them in case by case basis.", it only added to the confusion ;).
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Perhaps it would be informative to note what AI/Machine Learning doesn't protect against and other negatives:
    Ref.: http://blog.morphisec.com/artificial-intelligence-for-security-real-limitations
     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Those assertions appear to be made by someone who believes AI is constrained or defined by current levels of research and development.
    Secondly the argument about malware detection is bogus in the first place.
    If you give a referee the rules of a football game and he asks why have rules 10 through 20 been removed?
    You tell him because we want to allow our team to cheat.
    Is it then the referee's fault when the other team figures out the missing rules and cheats too!
     
  12. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    DEF CON. Endgame presents: Evading next-gen AV using A.I.
    PDF: https://media.defcon.org/DEF CON 25/DEF CON 25 presentations/DEFCON-25-Hyrum-Anderson-Evading-Next-Gen-AV-Using-AI.pdf
     
  13. guest

    guest Guest

    - Fileless malware are made to be covert malware, to not touch the disk, touching the disk may trigger an alarm by the target's security mechanisms.(AVs, etc..)
    - Fileless malware are all about being in-memory and load libraries from memory into any host processes; so without any kind of "memory protection", the security soft is useless against them, it can't have any influence on the memory area.
    - Fileless malware can be crafted to embark their own personal interpreter/meterpreter and inject them into any other processes. So for example, powershell functionalities can be loaded from any process without creating a Powershell process (powershell.exe).

    So based on those points, a seriously crafted fileless malware don't need to land a feet on the HDD or execute any of the target own interpreters (using them will trigger an alert).
    All is in memory, nothing is executed on the host disk.

    The limitation of classic anti-exe is that their scope is (for most of them) restricted to only executables. If a malware, fileless (or not) use anything else, they become useless against the said attack.
    Which is understandable because they are purposely made to just block executions of any executables , nothing else.
    This is why i tell to new users of anti-exe on MT:
    "An anti-exe has to be ran alongside other security mechanism, not just as a unique protection. Anti-exe aren't security suite and will never be".

    I like AG because it possess the ability to block some of the other vectors, that why it is superior compared to classic anti-exe. But still, AG is better used alongside other softs (like AVs or in my case, anti-exploits)
    Executables aren't the only way to load malware.

    I meant i tightened and "fixed" my AG's policy to strictly block execution of almost all vulnerable processes we are aware of (and some other stuff). They can't run unless i disable the block manually.
     
    Last edited by a moderator: Aug 5, 2017
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I don't have the link, but I was reading about a new script in use that didn't down load anything. It had the exe in the script in text form. Lots of alphanumeric characters. If the script was loaded into memory, then the text was converted back into memory. Thats a tough one.

    This is one of the reasons I got interested in Excubits MZwritescanner. It not only detects and blocks exe files , but also dll,sys,tmp, and bat file.

    The other interesting thing I just encounter was one of those FEDEX love emails. It had an XLAN extension file attached. I opened in both VM and Sanboxie in VM, with the XL reader. No alerts, no request to allow anything, It just started to encrypt everything. Nice.
     
  15. guest

    guest Guest

    indeed, since few years malwares writers/pentesters use in-memory attacks, because touching the disk will mostly triggers alerts from the target security mechanisms.
    So not so good in term of stealthily compromising a system and control it.

    And with AG or SoB, you can also acquire that ;)
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Nw.js is a great example of this. Everything is contained within the script: http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/ . Another variant here: http://blog.emsisoft.com/2016/06/15/raa-a-new-ransomware-variant-using-only-javascript/ .

    To be completed accurate in regards to fileless malware baring an exploit, most do write to the disk in some fashion; usually the registry auto run key. The malware runs at startup with everything thereafter done in memory. Also and increasingly, the registry file modification actor and when it occurred is usually unknown by forensic analysis leading one to assume it was done via backdoor or some other type of remote connection.

    As far as I am aware of, VoodoShield service runs as automatic - delayed. So it won't monitor anything starting from the registry auto run keys.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    All the scientific research articles I have read state that AI security solution technology will not be perfected for at least another 5 years:
    And .........
    Ref.: https://www.scmagazine.com/weaponis...industry--is-that-a-thing-yet/article/679887/
     
  18. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I think the bit defender guy's comments are more accurate than the morphisec article which tried to define the limitations of a technology that really has no limits.
    I think the industry as a whole is still trying to get its head around AI. It's a strange concept that contradicts everything we have ever done.
    We design things to do a specific task in the way we think it should be done.
    We have never designed things that figure out for itself how it should be done and we sure never designed things that figure out for itself what task it should apply itself to.
    The industry probably feels somewhat threatened by AI. For many years now they have persued a business model that uses intrusion and surveillance as marketing tools and relies on deceiving their customers as to their true intent.
    You may be able to deceive the average Joe but can you deceive an AI that can process all possible scenarious in a few milliseconds?
    I am quite sure in the not so distant future AI will be applied to designing and writing software, even entire operating systems, in binary code that would take an entire team of analysts months to figure out how it works and will probably be more efficient than anything we have seen before.
     
  19. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Imagine being the first person to create an AI that learns for itself how binary code works that alone would be pretty awesome.
    I'm going to play around with these ideas myself... Now what was that x register thingy for again? Its been a long time since I did that on a BBC micro as a teenager lol.
    Seriously though imagine being the first person that creates an AI that writes a "hello world" !!
    I would probably have a stroke and never receive my 15 minutes of fame OR my nobel prize.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    LOL, yes some companies go a bit over the top.

    Yes I agree, of course AI will also be by-passable, but it will raise the bar for sure.
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Correct, Ai is not perfect and it never will be... the computer needs to be locked when it is at risk.

    Ai should only be used as file insight... not as a malware decision engine.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, VS is not a classic AE... it blocks much more than just executables. And if there is something I am missing... I will just add it. Easy fix.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    In business, it is always best to under promise, and over deliver. Having said that, even if I wanted our marketing to be over the top, our attorney investors would not let me do so ;).

    I remember a while back, I had a list of marketing ideas for one of the attorneys, Jim, to review, so we met for lunch and went over the list. On the list, I had something to the effect of "VS is indistinguishable from magic". He actually yelled at me at the restaurant, hehehe, saying "Dan, you cannot make this claim, are you crazy?". So I never used that idea.

    Anyway, fast forward a year or so, when Rubenking wrote in his PCMag review "Well, the technology in VoodooSoft's VoodooShield 2.0 ... is so simple and effective, it might as well be some kind of magic", I met with Jim for lunch again and I watched as he read that line. Hehehe, he just started smiling, because he knew what I was up to ;). So I smiled at him and said "So Jim, can I use that quote in our marketing? He smiled at me and said "Yes. Yes Dan you can" ;).

    I actually just got an email from someone who was asking why I feel our software is "the best". I emailed my response back to him, and also asked him where he read that we claimed that "VS is the best".

    Marketing is a funny thing.
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I would have to test to know for sure, but VS should have absolutely no issue blocking the above. Come on guys, I think you are probably going to have to do a little better than that ;).

    The VoodooShieldService used to run delayed, but it does not anymore. It really does not matter anyway, because that is a little late in the game to be blocking the attack, don't you think? It is best to stop the attack before it has a chance to even start.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.