DeepLocker malware

Artificial intelligence malware presented at the Blackhat conference is currently attracting a lot of attention. What's special: The malware must use artificial intelligence to decide whether a particular computer is under attack or not. According to experts, there is no reason to panic at the moment.

At the Blackhat conference in Las Vegas, IBM malware researchers unveiled DeepLocker, a malware that demonstrates new ways in which malicious files can protect themselves from detection using artificial intelligence techniques. With most AI processes, such as neural networks, it is difficult to understand how they make decisions and what actions they initiate.

This is already a problem for AI researchers. And this is also a problem for malware analysts, since the logic of the program is no longer visible just by analyzing the code. The lecture shows that the arsenal of analysis methods needs to be expanded. The DeepLocker malware also shows that attackers also have new AI-powered capabilities at their disposal, such as facial recognition or speaker verification, to determine the correct target system. This makes the contributions of IBM researchers very valuable.

On the other hand, the effects of these innovations also need to be classified accordingly. The fact is that malware eludes analysis. But they have been doing this for more than 30 years and the arsenal of concealment and self-defense measures is extensive. For an equally long time, technologies for detecting IT security solutions have been improved, expanded and supplemented with new procedures.

Virus scanner signatures are usually based on malware code. Using AI processes here can lead to problems. However, it is possible to recognize AI-based processes and create signatures based on this.

Modern security solutions also increasingly rely on behavior-based detection techniques that can easily detect deep and unique obfuscation techniques. For this reason, security solutions can also protect against such new threats.

Analysis and methods of protection against DeepLocker

Last year, IBM specifically demonstrated a variant of the WannaCry ransomware that paralyzed corporate networks around the world. In the example above, the ransomware Trojan became active only when the facial recognition software integrated into it identified a specific person. This could be, for example, the CEO of the company.

DeepLocker does not change the behavior of a file on the system. Even if a security solution has difficulty with the malicious file's decision-making process as to whether the file will infect the computer or not, behavior-based detection will detect and prevent WannaCry or other ransomware infections.

A behavioral blocker checks whether certain suspicious activities are happening on the system or not. For example, in the case of ransomware, the software can detect when a process deletes backups in bulk, which can be used to restore deleted data.

At the latest, when the process starts encrypting a large amount of data at once without any user intervention, the software will abort the process or, in case of doubt, ask users if they currently want to encrypt the data.

Obfuscation of DeepLocker malware

In the future, it will be necessary to closely monitor whether malware uses artificial intelligence techniques to try to disguise its own activities. Currently, there are well-established methods that lead to the same result.

For example, using various wrappers that cannot be easily read by antivirus programs, or using self-created scripting languages. It remains to be seen whether malware authors will actually use the new techniques.

It's good that IBM showed attention to new methods of hiding malware activity at a security conference like Blackhat. However, the approach shown is not a fundamental problem for the security industry.

DeepLocker and similar AI malware continue to use files and libraries that can be detected. If such malware appears, it can also be detected using customized signatures or new behavior-based rules. Security solutions have been using machine learning and artificial intelligence to detect malicious files for many years.

Mainton Company - custom software development and testing, DevOps and SRE, SEO and online advertising since 2004.