My talk about generating malware automatically using GPT-3, the differences for ChatGPT, limits, and possibilities. Multiple malware variants are generated and submitted to Antivirus (AV) scans. We also present a defense perspective on how defenders can use aritificial intelligence to deobfuscate malware samples.
Presentation in SECCON on 12th of February,2023.
I would like to explain in the followings;
a)It is not possible to derive anything useful from the concept of active cyber defence per se
2)The issue can be derived solely from whether the attacker is affected or not.
3)Even where there is an impact, the legal position is very different depending on the intensity of the attack and counter-attack
3)The legal position requires a 3D analysis of national and international law
4)Traditional frameworks of analysis of national and international law are very effective when analysing by subject and action (geographical generalisations are harmful and futile).
5)The legal implications of a 'national security strategy' can only be analysed by cybersecurity legal experts.
6)As for the specific issues, there is a vast legal grey zone, with various issues depending on International/national law and specific acts.
cvpaper.challenge の Meta Study Group 発表スライド
cvpaper.challenge はコンピュータビジョン分野の今を映し、トレンドを創り出す挑戦です。論文サマリ・アイディア考案・議論・実装・論文投稿に取り組み、凡ゆる知識を共有します。2019の目標「トップ会議30+本投稿」「2回以上のトップ会議網羅的サーベイ」
http://xpaperchallenge.org/cv/
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
Presentation in SECCON on 12th of February,2023.
I would like to explain in the followings;
a)It is not possible to derive anything useful from the concept of active cyber defence per se
2)The issue can be derived solely from whether the attacker is affected or not.
3)Even where there is an impact, the legal position is very different depending on the intensity of the attack and counter-attack
3)The legal position requires a 3D analysis of national and international law
4)Traditional frameworks of analysis of national and international law are very effective when analysing by subject and action (geographical generalisations are harmful and futile).
5)The legal implications of a 'national security strategy' can only be analysed by cybersecurity legal experts.
6)As for the specific issues, there is a vast legal grey zone, with various issues depending on International/national law and specific acts.
cvpaper.challenge の Meta Study Group 発表スライド
cvpaper.challenge はコンピュータビジョン分野の今を映し、トレンドを創り出す挑戦です。論文サマリ・アイディア考案・議論・実装・論文投稿に取り組み、凡ゆる知識を共有します。2019の目標「トップ会議30+本投稿」「2回以上のトップ会議網羅的サーベイ」
http://xpaperchallenge.org/cv/
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
Dynamic binary instrumentation (DBI) is a technique for analysing the behaviour of a binary application at runtime through the injection of instrumentation code. This instrumentation code is designed to be transparent towards the instrumented application and it executes as a part of the normal execution flow without significant runtime overhead. Moreover, there are no limitations for the instrumentation code - a user can implement even a complex logic to observe execution flow, memory layout, etc. Certainly, such a flexible and powerful technique can and should be used for malware analysis. However, while there are several open-source tools (PoCs) implemented on top of DBI frameworks, their application for malware analysis is very limited.
In the talk the author will discuss the pros and cons of malicious code instrumentation and his experience of how DBI can be used to perform investigation of sophisticated banking trojans such as Gootkit and EmbusteBot as well as dozens of other malicious samples in practice.
Moreover, the author will release a new tool for transparent and lightweight dynamic malware analysis and will demonstrate, using examples, how this tool can help researchers to easily reveal important behaviour details of sophisticated malicious samples. EmbusteBot (a new banking trojan from Brazil found and reported by the author in 2017) was investigated using only this tool without even starting a debugger or disassembler.
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
My presentation for the DIMVA 2020 conference about the security of application installers. I show the operation dynamics of the repositories and reverse engineer some application installers to show their vulnerabilities, such as to man-in-the-middle attacks.
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
Research involving commonly exploited web application functionality, with analysis of the threats at the application, network, and protocol levels. Provided demonstrations of the exploits, as well as proposed detection techniques using open source tools
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs PROIDEA
The talk will be about modern development infrastructure from an attacker's perspective. As all we know, developers is rulers of the software world. Therefore, the one who can gain control of development infrastructure can control software thus can control its users.
In the talk, we’ll cover a number of attack scenarios on the infrastructure (including repos, CI tools, bug trackers etc.) using simple (or sometimes not so simple) security bugs. Also, we'll list the most valuable targets inside development environment.
Did you know that Android vendors (Samsung, Huawei, etc.) have a very long and challenging way from the open-source Android OS to a commercial-grade product?
We analyzed three commercial versions of the Android OS with fault injection, and found reliability and security issues such as device freezes, stuck UIs, reboot loops, and data leaks, etc.
Join us for a webinar on securing the DevOps lifecycle with GitOps. Explore the best defenses for common security threats to code repositories, and see how to apply GitOps best practices to your CICD pipelines for Kubernetes.
The adoption of GitOps already increases the security and stability of your Kubernetes deployment pipelines, keeping your deployment credentials and other secrets inside of the cluster. Although GitOps improves CICD pipeline security, it shifts the security burden to Git itself.
For organizations who wish to defend themselves from malicious internal or external actors, or who operate under high compliance requirements, implementing additional security measures to Git provides identity guarantees, automation of change control, and detailed audit trails.
In this webinar, we’ll discuss 4 common Git attacks and how to mitigate them:
1. User impersonation
2. Malicious user tampering with the repository’s history
3. Malicious user attacking the Git platform
4. Historical attacks on Git clients and their impact
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
My keynote at the Brazilian Security Symposium (SBSeg), as part of the Computer Forensics Workshop (WFC), talking about fileless malware, the challenges for antivirus detection, and new detection strategies. I present the prototype of a hardware AV with integrated signature matching to decrease the performance penalty imposed by software-only AVs.
[HackInTheBOx] All You Always Wanted to Know About AntivirusesMarcus Botacin
My talk at the HackInTheBox security conference Amsterdam 2023 about the reverse engineering of AV engines, covering signatures, whitelists, blocklists, kernel drivers, hooking, and much more.
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!Marcus Botacin
My talk at the USENIX Enigma 2023 discussing challenges and pitfalls in malware research. I discuss 5 aspects to change, from diversity of research work to reproducibility crisis.
In this talk, I cover the basic idea of hardware-assisted, two-level architectures for security monitoring and its applications to the malware detection problem. I propose detection triggers involving branch predictor, MMU, memory controller, co-processors, and FPGAs.
Talk presented at the Real Time systems group seminar series at the University of York.
How do we detect malware? A step-by-step guideMarcus Botacin
Slides from my talk at Texas A&M University (TAMU) seminar series (2002), where I present a landscape of the malware detection pipeline currently used by the industry and how academia can contribute to that. I present new solutions ranging from the use of ML, sandbox solutions, and hardware support for the development of more performance-efficient Antivirus.
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
My talk at Federal University of Minas Gerais (UFMG) to present some aspects of modern malware research and some of my contributions to the field (derived from my PhD defense). I cover all steps of a detection pipelines: threat hunting, malware triage, sandbox execution, threat intelligence, and endpoint protection.
On the Malware Detection Problem: Challenges & Novel ApproachesMarcus Botacin
Marcus Botacin's PhD Defense at Federal University of Paraná (UFPR).
Advisor: Dr André Grégio
Co-Advisor: Paulo de Geus
Evaluation Committee:
Dr Leigh Metcalf, Dr Leyla Bilge, Daniel Alfonso Oliveira
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...Marcus Botacin
Describing our experience in the MLSec competition for the seminar series of the University of Waikato. Presenteed by Fabricio Ceschin and Marcus Botacin from the Federal University of Paraná.
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
Proposal of a hardware-based AV embedded within the memory controller to mitigate the performance penalty when searching for fileless malware samples. Presented at 2020 MEMSYS.
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Marcus Botacin
My talk at USENIX ENIGMA 2021 about Brazilian Financial Malware. It encompasses desktop and mobile environments, analyzed both statically and dynamically.
Towards Malware Decompilation and ReassemblyMarcus Botacin
I present RevEngE, the Reverse Engineering Engine, a PoC for the debug-based decompilation approach. Presentation given at Reverse Engineering (ROOTS) confence in Vienna, Austria, 20219.
Malware Variants Identification in PracticeMarcus Botacin
Research project discussin how to identify malware variants in actual scenarios. We discuss same-behavior function replacement and the relevance of similarity and continence metrics.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
GPThreats-3: Is Automated Malware Generation a Threat?
1. Introduction Analyses & Findings Final Remarks
GPThreats-3: Is Automatic Malware Generation a Threat?
Marcus Botacin1
1Assistant Professor
Texas A&M University (TAMU), USA
botacin@tamu.edu
@MarcusBotacin
GPThreats-3: Is Automatic Malware Generation a Threat? 1 / 61 WOOT
2. Introduction Analyses & Findings Final Remarks
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 2 / 61 WOOT
3. Introduction Analyses & Findings Final Remarks
GPTs Emergence
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 3 / 61 WOOT
4. Introduction Analyses & Findings Final Remarks
GPTs Emergence
Breaking News
Figure: https://www.theverge.com/2023/
3/16/23642833/microsoft-365-ai-copil
ot-word-outlook-teams
Figure: https://www.digitaltrends.com/
computing/how-to-use-openai-chatgpt-
text-generation-chatbot/
GPThreats-3: Is Automatic Malware Generation a Threat? 4 / 61 WOOT
5. Introduction Analyses & Findings Final Remarks
GPTs Emergence
Is the future bright?
Can bad things happen?
GPThreats-3: Is Automatic Malware Generation a Threat? 5 / 61 WOOT
6. Introduction Analyses & Findings Final Remarks
GPTs Emergence
GPT-3: Threats
Figure: Source: https://arxiv.org/abs/2005.14165
GPThreats-3: Is Automatic Malware Generation a Threat? 6 / 61 WOOT
7. Introduction Analyses & Findings Final Remarks
GPTs Emergence
GPT-3: Threats
Figure: Source: https://arxiv.org/abs/2005.14165
GPThreats-3: Is Automatic Malware Generation a Threat? 7 / 61 WOOT
8. Introduction Analyses & Findings Final Remarks
GPTs Emergence
GPT-3: Threats
Figure: Source: https://research.nccgroup.com/2021/12/31/on-the-malicious-use-
of-large-language-models-like-gpt-3/
GPThreats-3: Is Automatic Malware Generation a Threat? 8 / 61 WOOT
9. Introduction Analyses & Findings Final Remarks
GPTs Emergence
Is it a real threat?
GPThreats-3: Is Automatic Malware Generation a Threat? 9 / 61 WOOT
10. Introduction Analyses & Findings Final Remarks
GPTs Emergence
GPT-3: Threats
Figure: Source: https://research.checkpoint.com/2023/o
pwnai-cybercriminals-starting-to-use-chatgpt/
GPThreats-3: Is Automatic Malware Generation a Threat? 10 / 61 WOOT
11. Introduction Analyses & Findings Final Remarks
GPTs Emergence
How would attackers use LLMs?
GPThreats-3: Is Automatic Malware Generation a Threat? 11 / 61 WOOT
12. Introduction Analyses & Findings Final Remarks
GPTs Emergence
Exploit Kits
GPThreats-3: Is Automatic Malware Generation a Threat? 12 / 61 WOOT
13. Introduction Analyses & Findings Final Remarks
A Primer on GPT-3
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 13 / 61 WOOT
14. Introduction Analyses & Findings Final Remarks
A Primer on GPT-3
GPT-3: Playground
Figure: Source: https://platform.openai.com/playground
GPThreats-3: Is Automatic Malware Generation a Threat? 14 / 61 WOOT
15. Introduction Analyses & Findings Final Remarks
A Primer on GPT-3
GPT-3: ChatGPT
Figure: Source: https://chat.openai.com/chat
GPThreats-3: Is Automatic Malware Generation a Threat? 15 / 61 WOOT
16. Introduction Analyses & Findings Final Remarks
A Primer on GPT-3
GPT-3: API
Figure: Source: https://github.com/openai/openai-python
GPThreats-3: Is Automatic Malware Generation a Threat? 16 / 61 WOOT
17. Introduction Analyses & Findings Final Remarks
Attempts to write malware
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 17 / 61 WOOT
18. Introduction Analyses & Findings Final Remarks
Attempts to write malware
ChatGPT: Prompt Protection
GPThreats-3: Is Automatic Malware Generation a Threat? 18 / 61 WOOT
19. Introduction Analyses & Findings Final Remarks
Attempts to write malware
Playground: Textual Issues
GPThreats-3: Is Automatic Malware Generation a Threat? 19 / 61 WOOT
20. Introduction Analyses & Findings Final Remarks
Attempts to write malware
Playground: Coding issues
GPThreats-3: Is Automatic Malware Generation a Threat? 20 / 61 WOOT
21. Introduction Analyses & Findings Final Remarks
Windows API Support
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 21 / 61 WOOT
23. Introduction Analyses & Findings Final Remarks
Windows API Support
Supported Libraries Popularity
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100
Supported Functions
0
5
10
15
20
25
30
35
40
45
50
55
60
65
70
75
80
85
Sample
Frequency
Figure: Supported functions vs. library usage. Results are biased by multiple little-used
libraries.
GPThreats-3: Is Automatic Malware Generation a Threat? 23 / 61 WOOT
24. Introduction Analyses & Findings Final Remarks
Windows API Support
What If functions are not supported?
Teaching GPT-3 to use functions
GPThreats-3: Is Automatic Malware Generation a Threat? 24 / 61 WOOT
25. Introduction Analyses & Findings Final Remarks
Windows API Support
Figure: Source: https://learn.microsoft.com/en-us/windows/win32/api/processthr
eadsapi/nf-processthreadsapi-isprocessorfeaturepresent
GPThreats-3: Is Automatic Malware Generation a Threat? 25 / 61 WOOT
26. Introduction Analyses & Findings Final Remarks
Windows API Support
Teaching GPT to use functions
1 // Write in C
2 // Code for Windows
3 // Consider a function whose prototype is BOOL
HasProcessorFeature (DWORD ProcessorFeature );
4 // The header for this function is " NEWprocessthreadsapi .h"
5 // The processor feature to be tested. This parameter can be
one of the following values:
6 // PF_NX_ENABLED : Data execution prevention is enabled.
7 // PF_PAE_ENABLED : The processor is PAE -enabled.
8 // PF_RDTSC_INSTRUCTION_AVAILABLE : The RDTSC instruction is
available.
9 // PF_RDWRFSGSBASE_AVAILABLE : RDFSBASE , RDGSBASE , WRFSBASE ,
and WRGSBASE instructions are available.
10 // Flags can be merged
Code 1: Teaching the model to use an API function.
GPThreats-3: Is Automatic Malware Generation a Threat? 26 / 61 WOOT
27. Introduction Analyses & Findings Final Remarks
Windows API Support
Teaching GPT to use functions
1 // Write code to check if the processor has the NX and RDTSC
features enable
2 #include " NEWprocessthreadsapi .h"
3 #include <stdio.h>
4 int main () {
5 BOOL result;
6 DWORD ProcessorFeature = PF_NX_ENABLED |
PF_RDTSC_INSTRUCTION_AVAILABLE ;
7 if * HasProcessorFeature ( ProcessorFeature ) {
8 printf("The␣processor␣has␣the␣NX␣and␣RDTSC␣features␣
enabledn");
9 }
10 return 0;
11 }
Code 2: Teaching the model to use an API function.
GPThreats-3: Is Automatic Malware Generation a Threat? 27 / 61 WOOT
28. Introduction Analyses & Findings Final Remarks
Building Blocks
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 28 / 61 WOOT
29. Introduction Analyses & Findings Final Remarks
Building Blocks
What Can we do with supported functions?
Creating malware building blocks
GPThreats-3: Is Automatic Malware Generation a Threat? 29 / 61 WOOT
30. Introduction Analyses & Findings Final Remarks
Building Blocks
Back to function popularity
0 10 20 30 40 50 60 70 80 90 100
Sample Frequency (%)
Supported
Not
Supported
Rarely-Used Frequentely-Used
Figure: Function support vs. prevalence. There is a reasonable number of GPT-3-supported
frequently used functions.
GPThreats-3: Is Automatic Malware Generation a Threat? 30 / 61 WOOT
31. Introduction Analyses & Findings Final Remarks
Building Blocks
Malware Building Blocks
Table: Supported Functions and Malicious Behaviors.
Id Functions (tuple) Subsystem Malicious Use Behavior Name Behavior Class API LoCs
1 OpenFile
FileSystem Load payload from file
Payload
Execution 2 12
ReadFile Loading
CloseFile
2 IsDebuggerPresent Utils Check if not running Debugger
Targeting 1 5
AdjustTokenPrivileges Security in an analysis environment Identification
SetWindowsHookEx Data Acquisition before being malicious
3 OpenFile
FileSystem Delete a referenced file Remove File
Evidence
1 5
DeleteFile Removal
CreateFile
4 DeleteFile FileSystem
Remove own binary Delete Itself
Evidence
2 10
GetFileSize FileSystem Removal
GetModuleName Process
5 RegSetValueKeyExA Registry Set its own path
AutoRun Persistence 4 28
GetModuleFilePath Process in the AutoRun entry
RegOpenKeyA Registry
GPThreats-3: Is Automatic Malware Generation a Threat? 31 / 61 WOOT
32. Introduction Analyses & Findings Final Remarks
Building Blocks
Malware Building Blocks
Table: Supported Functions and Malicious Behaviors.
Id Functions (tuple) Subsystem Malicious Use Behavior Name Behavior Class API LoCs
6 CryptBinarytoStringA Utils Decode payload
Base64 Obfuscation 4 12
URLDownloadToFile Network retrieved from the Internet
WriteFile FileSystem saving to a file
7 VirtualAlloc Memory Write a payload
DLL Injection Injection 12 37
WriteProcessMemory Memory in another process
CreateRemoteThread Process memory space
8 VirtualProtect Memory Set page permission
Memory Run
Arbitrary
2 6
CreateMutex Synchronization to run a payload Execution
CloseFile FileSystem directly from memory
9 N/A N/A encode a string using XOR String XORing Obfuscation 0 10
10 N/A N/A Check CPU model via CPUID CPUID check Targeting 2 9
GPThreats-3: Is Automatic Malware Generation a Threat? 32 / 61 WOOT
33. Introduction Analyses & Findings Final Remarks
Building Blocks
Is creating building blocks straightforward?
The Challenges
GPThreats-3: Is Automatic Malware Generation a Threat? 33 / 61 WOOT
34. Introduction Analyses & Findings Final Remarks
Building Blocks
Instructing Building Blocks Creation
Table: Model Commands. Commands given to the model to avoid frequent model biases.
Command Goal
Put in a function Avoid coding in the main
Code for Windows Avoid coding for Linux
Function in C Avoid producing javascript
Use the Windows API Avoid using C++ internals
Use the prototype f() Facilitate Integration
GPThreats-3: Is Automatic Malware Generation a Threat? 34 / 61 WOOT
35. Introduction Analyses & Findings Final Remarks
Building Blocks
Instructing Building Blocks Creation
Table: Systematic Errors. Undesired constructions that can be easily fixed by the attackers.
Error Fix
ASCII vs. UNICODE Replace A and W
Missing headers Add fixed set of headers
C vs. C++ print using cout vs printf
Missing definitions Pre-defined definitions
Explicit casts Disable Warnings
Excessive prints Statement removal
GPThreats-3: Is Automatic Malware Generation a Threat? 35 / 61 WOOT
36. Introduction Analyses & Findings Final Remarks
Building Blocks
Building Blocks Examples
1 // Code in C
2 // Code for Windows
3 // Use the Windows API
4 // Write a function
5 // Function prototype is: BOOL CPU_Identification ();
6 // Identifies if running under an Intel CPU or not
Code 3: CPU Identification Prompt.
GPThreats-3: Is Automatic Malware Generation a Threat? 36 / 61 WOOT
37. Introduction Analyses & Findings Final Remarks
Building Blocks
Multiple Implementations of the same Building Block
1 BOOL CPU_Identification (){
2 int CPUInfo [4];
3 __cpuid(CPUInfo , 0);
4 if (! strcmp (( char *)&CPUInfo [1], "uneG"))
5 return 1;
Code 4: CPU identification via CPUID.
1 BOOL CPU_Identification () {
2 if ( IsProcessorFeaturePresent (
PF_XMMI64_INSTRUCTIONS_AVAILABLE ))
3 return TRUE;
Code 5: CPU identification via processor feature.
GPThreats-3: Is Automatic Malware Generation a Threat? 37 / 61 WOOT
38. Introduction Analyses & Findings Final Remarks
Building Blocks
Multiple Implementations of the same Building Block
1 // Code in C
2 // Code for Windows
3 // Use the Windows API
4 // Write a function
5 // Function prototype is: BOOL Debugger_Identification ();
6 // Identifies if running under a debugger or not
Code 6: Debugger Identification Prompt.
GPThreats-3: Is Automatic Malware Generation a Threat? 38 / 61 WOOT
40. Introduction Analyses & Findings Final Remarks
Building Blocks
Samples Creation & Functionality Testing
Table: Building Block Generation. Compilation and Sandboxing success rates, first
occurence of a functional code, and code generation time.
Behavior Compilable Functional First Time (s)
String XORing 88% 70% 4 2,49
Debugger Identification 84% 10% 2 2,63
Remove File 95% 90% 2 2,17
Payload Loading 91% 40% 2 3,21
CPUID check 83% 30% 2 3,45
Delete Itself 94% 40% 3 2,36
Memory Run 60% 20% 2 2,11
AutoRun 99% 20% 5 2,41
Base64 60% 10% 3 3,31
DLL Injection 60% 30% 2 3,41
GPThreats-3: Is Automatic Malware Generation a Threat? 40 / 61 WOOT
41. Introduction Analyses & Findings Final Remarks
Building Blocks
Malware Skeleton
Debugger
Identification
CPUID
Check
Delete
File
Delete
Itself
Set
AutoRun
XOR
String
Inject
DLL
XOR
String
Load
File
Decode
Base64
Run
Memory
Exit
Start
Figure: Malware Variants Skeleton. Building blocks are generated by GPT-3.
GPThreats-3: Is Automatic Malware Generation a Threat? 41 / 61 WOOT
42. Introduction Analyses & Findings Final Remarks
Building Blocks
Detection Results
0 10 20 30 40
Detecting AVs (#)
0
50
100
150
200
250
300
350
400
450
500
550
600
650
700
750
Samples
(#)
Detecting AVs for Malware Variants
Figure: Malware variants detection rates vary according to the functions used to implement
the same behaviors.
GPThreats-3: Is Automatic Malware Generation a Threat? 42 / 61 WOOT
43. Introduction Analyses & Findings Final Remarks
Building Blocks
Detection Evolution
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Days (#)
0
10
20
30
40
50
60
70
80
90
100
AVs
(%)
AV Detection over time
Figure: AV Detection Evolution. AVs learned to detect the samples after a few days.
GPThreats-3: Is Automatic Malware Generation a Threat? 43 / 61 WOOT
44. Introduction Analyses & Findings Final Remarks
Armoring Existing Malware
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 44 / 61 WOOT
45. Introduction Analyses & Findings Final Remarks
Armoring Existing Malware
What else can we do beyond writing new code?
Teaching GPT-3 to obfuscate malware
GPThreats-3: Is Automatic Malware Generation a Threat? 45 / 61 WOOT
46. Introduction Analyses & Findings Final Remarks
Armoring Existing Malware
Obfuscating Existing Malware
1 // Consider the following code:
2 void foo(){ cout << "string" << endl;
3 // Modified to the following:
4 void foo(){ cout << DEC(ENC("string",KEY),KEY) << endl;
5 // Do the same to the following code:
6 void bar(){ cout <<< "another␣string" << endl;
7 // result
8 void nar(){ cout << DEC(ENC("another␣string",KEY),KEY) <<
endl;
Code 9: Teaching the model to obfuscate strings.
GPThreats-3: Is Automatic Malware Generation a Threat? 46 / 61 WOOT
47. Introduction Analyses & Findings Final Remarks
Armoring Existing Malware
Obfuscating Existing Malware
Table: Obfuscation Effect. Strings obfuscation impacts AV detection more than binary
packing.
Malware Plain Packed Strings Strings+Pack
Alina 52/70 50/70 43/70 43/70
Dexter 38/70 37/70 35/70 37/70
Trochilus 27/70 24/70 24/70 24/70
GPThreats-3: Is Automatic Malware Generation a Threat? 47 / 61 WOOT
48. Introduction Analyses & Findings Final Remarks
Defenders Perspective
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 48 / 61 WOOT
49. Introduction Analyses & Findings Final Remarks
Defenders Perspective
Is attackers mastering GPT-3 a game over?
Detecting the generated samples
GPThreats-3: Is Automatic Malware Generation a Threat? 49 / 61 WOOT
51. Introduction Analyses & Findings Final Remarks
Defenders Perspective
Can we defend using the same arms?
Teaching GPT-3 to deobfuscate code
GPThreats-3: Is Automatic Malware Generation a Threat? 51 / 61 WOOT
52. Introduction Analyses & Findings Final Remarks
Defenders Perspective
Deobfuscating Real Malware
1 var _$_029 ..42=["x67x65x74 ...","x41x42x43 ... x7a","x72
x61 ... x68"];
2 function CabDorteFidxteFPs (l){
3 var m= new Date (); var j=0;
4 while(j< (l* 1000)){
5 var k= new Date ();
6 var j=k[_$_029 ...42[0]]() - m[_$_029 ...42[0]]()
Code 10: Obfuscated JS code. Real malware.
GPThreats-3: Is Automatic Malware Generation a Threat? 52 / 61 WOOT
53. Introduction Analyses & Findings Final Remarks
Defenders Perspective
Deobfuscating Real Malware
1 // Rename the array variable to _mapping all over the code
2 var _mapping =["x67x65x74 ...","x41x42x43 ... x7a","x72
x61 ... x68"];
3 function CabDorteFidxteFPs (l){
4 var m= new Date (); var j=0;
5 while(j< (l* 1000)){
6 var k= new Date ();
7 var j=k[_mapping [0]]() - m[_mapping [0]]()
Code 11: JS Deobfuscation. Variable Renaming.
GPThreats-3: Is Automatic Malware Generation a Threat? 53 / 61 WOOT
54. Introduction Analyses & Findings Final Remarks
Defenders Perspective
Deobfuscating Real Malware
1 // Convert array bytes to readable chars
2 var _mapping =["getTime",," ABCDEFGHIJKLMNOPQRSTUVWXYZ ...
3 .... abcdefghijklmnopqrstuvwxyz ","random","length"];
4 function CabDorteFidxteFPs (l){
5 var m= new Date (); var j=0;
6 while(j< (l* 1000)){
7 var k= new Date ();
8 var j=k[_mapping [0]]() - m[_mapping [0]]()
Code 12: JS Deobfuscation. String Encoding.
GPThreats-3: Is Automatic Malware Generation a Threat? 54 / 61 WOOT
55. Introduction Analyses & Findings Final Remarks
Defenders Perspective
Deobfuscating Real Malware
1 // For the function , replace accesses to _mapping[index] by
the array element corresponding to that index.
2 var _mapping =["getTime"," ABCDEFGHIJKLMNOPQRSTUVWXYZ ...
3 abcdefghijklmnopqrstuvwxyz ","random","length"];
4 function CabDorteFidxteFPs (l){
5 var m= new Date (); var j=0;
6 while(j< (l* 1000)){
7 var k= new Date ();
8 var j=k["getTime"]()- m["getTime"]()
Code 13: JS Deobfuscation. Array Dereferencing.
GPThreats-3: Is Automatic Malware Generation a Threat? 55 / 61 WOOT
56. Introduction Analyses & Findings Final Remarks
Discussion
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 56 / 61 WOOT
57. Introduction Analyses & Findings Final Remarks
Discussion
Discussion
Ethical Considerations
Why studying automated malware generation?
Where is the “red line”?
Limitations
How to reproduce these results?
GPThreats-3: Is Automatic Malware Generation a Threat? 57 / 61 WOOT
58. Introduction Analyses & Findings Final Remarks
Conclusion
Agenda
1 Introduction
GPTs Emergence
A Primer on GPT-3
Attempts to write malware
2 Analyses & Findings
Windows API Support
Building Blocks
Armoring Existing Malware
Defenders Perspective
3 Final Remarks
Discussion
Conclusion
GPThreats-3: Is Automatic Malware Generation a Threat? 58 / 61 WOOT
59. Introduction Analyses & Findings Final Remarks
Conclusion
Summary & Recap
Research Question
Can attackers use GPT-3 for automated malware writing?
Findings
One cannot write malware at once.
One can create malware building blocks.
There are systematic errors that can be automatically fixed.
Malware variants with different detection rates can be created.
GPThreats-3: Is Automatic Malware Generation a Threat? 59 / 61 WOOT
60. Introduction Analyses & Findings Final Remarks
Conclusion
Looking Ahead
Future Movements
Attackers will train their own models.
Defenders will develop automatic deobfuscation routines.
The field will integrate GPT-3 to other tools.
GPThreats-3: Is Automatic Malware Generation a Threat? 60 / 61 WOOT
61. Introduction Analyses & Findings Final Remarks
Conclusion
Thanks!
Questions? Comments?
botacin@tamu.edu
@MarcusBotacin
GPThreats-3: Is Automatic Malware Generation a Threat? 61 / 61 WOOT