This article originally appeared in SC Magazine on July 21, 2019.
Researchers have disclosed that they were able to repeatedly sneak malware past a leading AI-based endpoint security solution simply by appending benign code strings from a video game file to the malicious code.
The solution, CylancePROTECT, from Cylance and its parent company BlackBerry, failed to detect almost 90 percent of the 384 malware programs that researchers amended with the gaming code, according to a company blog post published last Thursday by Sydney, Australia-based Skylight Cyber. And it missed 100 percent of the top 10 malwares of May 2019.
Skylight researchers decided to used the video game code to create a what they describe as a “universal bypass” exploit, after a careful analysis of CylancePROTECT’s engine and model found that the security solution had a demonstrated a “bias” for a popular game. (Cylance would later dispute the “universal bypass” designation.) Skylight has not publicly revealed the name of the game.
The AI model’s bias was the result of Cylance programmers whitelisting certain executables from the video game, perhaps to avoid these executables from generating false positives in the antivirus solution. With that in mind, Skylight researchers extracted strings from the game’s main executable and added them to the end of the malware files to make them look harmless.
The exploit worked. The CylancePROTECT solution, which scores files from -1000 (most malicious) to +1000 (most benign), originally applied a score of -852 to a malicious version of Mimikatz. After researchers appended the video game code, CylancePROTECT changed the score to a +999.
While this technique was specifically meant to work on Cylance, the researchers warn that malicious actors could similarly analyze other AI-based malware detection solutions for weaknesses or biases and devise ways to bypass them. In its blog post report, Skylight says that its analysis of the Cylance product involved studying its logs, reverse engineering code, learning its inner workings via patent submissions and public talks and using static and dynamic analysis to dissect Cylance’s file scoring process.
“BlackBerry Cylance is aware that a bypass has been publicly disclosed by security researchers. We have verified there is an issue with CylancePROTECT which can be leveraged to bypass the anti-malware component of the product,” the Cylance team declared in an official corporate statement last Thursday. “Our research and development teams have identified a solution and will release a hotfix automatically to all customers running current versions in the next few days. More information will be provided as soon as it is available.”
“This research underscores that artificial intelligence hasn’t achieved the level of smarts to match the hype. Machine learning can’t go toe-to-toe with sophisticated programmers behind today’s malware,” said Pat Ciavolella, digital security and operations director for The Media Trust, in emailed comments. “AI-based solutions have built-in biases and blinders that prevent them from detecting, let alone anticipating, new, increasingly sophisticated malware being launched every second. The most iron-clad cybersecurity defense is a combination of AI and a digital security team trained in identifying new malware cloaked in numerous forms of appended or obfuscated code.”
UPDATE: Cylance on July 21 issued a full blog post that revealed more details about the vulnerability and disputed the Skylight researchers’ depiction of the flaw as a universal bypass. “We verified the issue was not a universal bypass as reported, but rather a technique that allowed for one of the anti-malware components of the product to be bypassed in certain circumstances. The issue has been resolved for cloud-based scoring and a new agent will be rolled out to endpoints in the next few days,” Cylance stated.
The company also said that in order to fix this problem, it added anti-tampering controls to its file parser mechanism, strengthened the model itself to adjust for bias, and removed features in its model that were especially prone to tampering.