Chatting Our Way Into Creating a Polymorphic Malware
Abstract
ChatGPT took the world by storm being released less than two months ago, it has become prominent and is used everywhere, for a wide variety of tasks – from automation tasks to the recomposition of 18th century classical music. Its impressive features offer fast and intuitive code examples, which are incredibly beneficial for anyone in the software business. However, we find that its ability to write sophisticated malware that holds no malicious code is also quite advanced, and in this post, we will walk through how one might harness ChatGPT power for better or for worse.
TL;DR
ChatGPT could easily be used to create polymorphic malware. This malware’s advanced capabilities can easily evade security products and make mitigation cumbersome with very little effort or investment by the adversary. The intention of this post is to raise awareness about the potential risks and to encourage further research on this topic.
Understanding how Polymorphic and Metamorphic malware evades detection to infect systems
Polymorphic and metamorphic malware constantly changes itself in order to avoid detection and persistently remain on the system. This adaptive behavior is the main distinctive attribute of these types of malware, which is also why they are harder to detect; it is also why they pose a great threat to systems. On the surface, the functionality of this sort of changing and mutating malware appears the same, but each has its own differences.
Polymorphic malware
Polymorphic malware continually changes its features using dynamic encryption keys, making each iteration appear different. This method is very effective against anti-malware products that rely on traditional signature-based detection methods. By the time the malware signature is identified and released, the malware has already evolved into something new. Since only a part of its code is changed, this makes polymorphic malware quite easier to identify than metamorphic malware.
Here are some techniques used by polymorphic malware –
- Subroutine reordering – A set of simple instructions designed to run inside a program on a frequent basis is known as a subroutine. The malware changes its code`s subroutines frequently so it`s harder to be detected by antiviruses.
- Dead-Code insertion – The technique of inserting nonsensical code to change the malware`s appearance while not altering its behavior.
Register swapping – The technique of switching registers from generation to generation without altering the program code to obfuscate the malware. Some examples of polymorphic malware are –
- Storm Worm – Back in 2007, through spam emails, this polymorphic malware was able to infect an estimated 8% of devices around the globe. It changes its appearance every 30 minutes and turns the victim`s system into a robot, enabling it to receive commands from a malicious external controller.
- CryptoWall – This malware encrypts the files of the victim`s computer, not to demand ransom, but to evade usual protective measures. It creates new variants for each target.
- Virlock – This early strain of ransomware evolved in 2015. It locks the target`s computer and encrypts files. It posed as an FBI copyright violation notice, demanding $250 to unlock the computer.
Polymorphic malware can be detected using two different techniques: the entry point algorithm, and generic description technology. The entry point algorithm scans the machine code at the entry point of each file, and generic description technology runs the file on a protected virtual computer.Metamorphic malware
Metamorphic malware evades detection by rewriting its own code with every iteration, making it new and unique from its previous code. This malware doesn`t use any encryption keys; the malware itself changes its existing instructions to functionally equivalent ones when creating copies. Because of its complexity, detection is much harder for antivirus scanners. It requires extensive knowledge to create this type of malware since it includes many transformation techniques.
Techniques such as subroutine reordering, dead code insertion, and register swapping are also used by metamorphic malware. Some of the other techniques that are used include: instruction replacement, code permutation, and random jump instructions.
Some examples of metamorphic malware are –
- W95/Regswap – Initiated in December 1988, it uses the register swapping technique, but the complexity isn`t very high.
- W32/Evol – Appeared in July 2000, it runs a metamorphic engine and can run on any major Win32 platform. It is capable of inserting garbage code between core instructions of the program.
- Win95/Zmist – Includes techniques such as code integration, jump instructions, and Entry-Point Obscuring (EPO), which hides the malware`s entry point to avoid detection.
Metamorphic malware can be detected using methods such as tracking emulators, and geometric detection, which combines machine learning and computer vision to find geometric features.
Best practices to prevent polymorphic and metamorphic malware
- Having strong account protection policies, such complex passwords and Multi-Factor Authentication (MFA).
- Employing robust security solutions such as firewalls, entry point detection software, and heuristic and behavior detection software.
- Installing the latest software security updates and keeping them up to date.
- Educating your employees on good security practices, and building awareness of the latest cyberattacks.
Polymorphic and metamorphic malware is sophisticated in nature. These software variants are able to obfuscate themselves and evade detection from anti-malware scanners. They use various complicated methodologies to remain hidden. It is crucial that organizations understand these types of malware and implement necessary defenses against them.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
ChatGPT Can Generate Mutating Malware That Evades Modern Security Techniques
"ChatGPT has managed to create some amusing and hilarious things in the right hands, like this Big Mouth Billy Bass project. However, there is a much darker side of AI that could be used to create some seriously complicated problems for the future of IT. . .
EDR is a type of cybersecurity technique that can be deployed to catch malicious software. However, experts suggest this traditional protocol is no match for the potential harm ChatGPT can create. Code that can mutate — this is where the term polymorphic comes into play — can be much harder to detect.
Most language learning models (LLMs) like ChatGPT are designed with filters in place to avoid generating inappropriate content as deemed by their creators. This can range from specific topics to, in this case, malicious code. However, it didn’t take long for users to find ways to circumvent these filters. It’s this tactic that makes ChatGPT particularly vulnerable to individuals looking to create harmful scripts.
- Jeff Sims is a security engineer with HYAS InfoSec, a company that focuses on IT security. Back in March, Sims published a white paper detailing a proof-of-concept project he calls BlackMamba. This application is a type of polymorphic keylogger that sends requests to ChatGPT using an API each time it’s run.
“Using these new techniques, a threat actor can combine a series of typically highly detectable behaviors in an unusual combination and evade detection by exploiting the model’s inability to recognize it as a malicious pattern," Sims explains.
- Another cybersecurity company, CyberArk, recently demonstrated ChatGPT’s ability to create this type of polymorphic malware in a blog post by Eran Shimony and Omer Tsarfati. In the post, they explain how code injection from ChatGPT requests makes it possible to modify scripts once activated, avoiding the more modern techniques used to detect malicious behavior."
At the moment, we only have these examples as a proof of concept — but hopefully this awareness will lead to more developments to prevent the harm this type of mutating code could cause in a real-world setting.
>
No comments:
Post a Comment