Tag Archives: Next generation endpoint protection

DeepLocker: AI Powered, Ultra-Targeted and Evasive Malware

19 August 2018

Mohit Kumar’s report on DeepLocker (1) published on 9 August 2018 in The Hacker News made me jump. Is AI becoming the doomsday machine of the 21st century?

DeepLocker is the result of a study (2) performed by IBM Researcher Marc Stoecklin and his colleagues on the question how the use of AI will change cyber-attacks:

“DeepLocker has changed the game of malware evasion by taking a fundamentally different approach from any other current evasive and targeted malware.”

The good news is that DeepLocker still needs a carrier app. Marc Stoecklin writes:

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.”

Seven Phases Cyber Kill Chain

Cyber Kill Chain

DeepLocker is hence not invincible. A compromised carrier app will have another fingerprint than the not compromised version, at least until the carrier app is not compromised during development.

With this, program reputation, a must-have in every Next Generation Endpoint Protection Solution (NGEPS), can stop a malicious app very early in the Cyber Kill Chain (CKC).

The bad news is that reverse engineering is hardly possible. Marc Stoecklin writes:

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

Although I am fond of reading malware analysis papers I won’t miss them. From my point of view, it is only important that the NGEPS blocks the payload from being executed. In terms of the Cyber Kill Chain this means: ideally in the delivery phase, the latest in the installation phase.

For more details on DeepLocker please see the presentation (3) Marc Stoecklin delivered at the Black Hat 2018 conference.

Don’t panic, but be prepared: Skynet will gain world supremacy soon …

Have a great week.

  1. Kumar M. Researchers Developed Artificial Intelligence-Powered Stealthy Malware [Internet]. The Hacker News. 2018 [cited 2018 Aug 13]. Available from: https://thehackernews.com/2018/08/artificial-intelligence-malware.html
  2. Stoecklin MP. DeepLocker: How AI Can Power a Stealthy New Breed of Malware [Internet]. Security Intelligence. 2018 [cited 2018 Aug 13]. Available from: https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/
  3. Stoecklin MP, Kirat D, Jang J. DeepLocker – Concealing Targeted Attacks with AI Locksmithing [Internet]. Black Hat USA 2018. 2018 [cited 2018 Aug 19]. Available from: https://www.blackhat.com/us-18/briefings/schedule/#deeplocker—concealing-targeted-attacks-with-ai-locksmithing-11549

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

Next generation endpoint protection for end-users

29 May 2016

Application virtualization is a great means to deal with malware. In particular ransomware cannot create massive damage if the malicious program is executed in an isolated virtual container which prevents any interaction with the computing environment.

Unfortunately, most vendors of next generation endpoint protection solutions are directed on the protection of large private businesses and administrative bodies. End-user protection is falling increasingly by the wayside. Consumers must rely on inherently weak anti-malware solutions.

By now some products are available which overcome of the most severe deficits of anti-malware solutions. They offer protection e.g. against drive-by downloads, zero-day malware or file-less malware, for private businesses, administrative bodies and end-users alike.

The winners and finalists of the 2015 Homeland Security Awards in subcategory Best Anti-Malware Platform are :

  • Blue Ridge Networks (Winner)
  • Cylance (Finalist)
  • Malwarebytes (Finalist)

The products of these companies are available for end-users. During the next weeks and posts I will discuss my experience with this products, with special regards to their ability to block zero-day malware and usability.

Today I will share my first experiences with Blue Ridge Networks ‘AppGuard Zero Day Malware Protection‘.

AppGuard is installed on top of an anti-malware solution, in my case Windows Defender. In the AppGuard users guide one reads:

‘Conventional “detect and respond” approaches available are not enough in today’s cyber world. AppGuard is a breach prevention defense that stops breaches at the earliest stages. AppGuard delivers a multi-layered defense, protecting the endpoint at multiple points, including launch control, run-time application control, and memory protection to prevent one application from reading or writing to the memory of another. AppGuard protects your computer against certain applications with the greatest risk of malware, such as Microsoft and Adobe products. AppGuard stops the cyber attacks that traditional security products often miss, even zero-day and fileless malware. AppGuard prevents suspicious applications from running and stops even allowed applications such as your browser from performing high-risk activities that might result in an infected computer.’

Great zero-day malware is available from Malwr.com. Let’s get to work.

I used the following sample (zero-day malware, delivered by Microsoft Word document in zip file) for my first test:

Timestamp MD5 File Name File Type Antivirus
May 24, 2016,
2:53 p.m.		 60a59b324f63621a1e2577e87db4439f Security Notification3.zip Zip archive data 5/57

Security Notification3.zip is delivered by email. The zip file contains a Word Document which loads a file called harakiri.pfx from the attacker’s command and control server and executes this file afterwards.

At May 24, 2016, 6:46 p.m. only 6 of 57 anti-malware solutions on VirusTotal identified the malware:

Antivirus Result Update
AVware LooksLike.Macro.Malware.b (v) 20160524
Arcabit HEUR.VBA.Trojan.e 20160524
McAfee W97M/Downloader.bdx 20160524
Qihoo-360 virus.office.obfuscated.1 20160524
Rising Trojan.Obfus/VBA@DT!1.A540 20160524
VIPRE LooksLike.Macro.Malware.b (v) 20160524

With this, Security Notification3.zip is a perfect zero-day malware sample.

After running a standard installation, I customized AppGuard slightly only. I set the protection level to “Locked Down”:

Blue Ridge Networks AppGuard Main Menu

Blue Ridge Networks AppGuard Main Menu

I downloaded the sample file to my test environment and opened the file in word. AppGuard made a great job. The AutoOpen macro downloaded Harakiri.exe to the local temp folder and AppGuard blocked the execution:

AppGuard blocked Execution Notification

AppGuard blocked Execution Notification

I checked some more samples and got the same results in any case: AppGuard blocks the execution of the downloaded files.

With this, AppGuard fully meets my expectations about zero-day malware delivered by Word-documents.

By now Security Notification3.zip is detected by 35 of 56 anti-malware solutions on VirusTotal.com, e.g. as Trojan:O97M/Madeba.A!det by Windows Defender or  as W2KM_DRIDEX.YYSVD by TrendMicro.

Have a good weekend.