By Bryan Lares and Marla Rosner
If you were reading the cybersecurity headlines yesterday morning, you know that the big news of the day was about Double Agent, a fearsome new zero-day threat that turns antivirus systems into malware, cannot be patched, and has few to no limitations in what in can do once it infects a system.
That same morning, DeepArmor—SparkCognition’s artificial intelligence antimalware solution—caught Double Agent without ever even training on it.
Let’s take a few steps back. What exactly is it that makes Double Agent so disastrous? And why could DeepArmor catch it when so many other programs could not?
Double Agent is a new zero-day threat that can be downloaded from malicious websites or attachments. Once on a system, instead of hiding from the antivirus, it targets it directly by exploiting a vulnerability in Microsoft Application Verifier, a debugging tool found on most Windows systems.
Microsoft Application Verifier detects and fixes bugs in native applications by loading what is called a “verifier provider DLL” into the applications. This DLL could be used to infiltrate just about anything on the machine, but Double Agent goes straight for the antivirus. After all, operating systems place implicit trust in antivirus programs, giving them some of the most extensive system privileges of any software. Once Double Agent takes control of the antivirus, it can do just about anything: passive surveillance, ransomware, or whatever else the hackers can imagine. There are no limitations.
Double Agent can’t be fixed via patching, because it enters the machine using a legitimate Windows feature. Even a system reboot can’t get rid of the malware. And of course, the antivirus itself can do nothing. What’s more, because this vulnerability in Microsoft Application Verifier is undocumented, it’s not going to be fixed anytime soon.
Security vendor Cybellum reports that Double Agent was effective against all 14 antivirus programs they tested.
This was not the case, however, for DeepArmor.
When the news broke yesterday morning, SparkCognition was sent the code containing Double Agent by an IT consulting firm that was curious how our nontraditional take on malware detection would handle this new threat. The answer was: with ease.
DeepArmor is a cognitive endpoint protection solution. It leverages the power of machine learning and natural language processing (NLP) algorithms to analyze the DNA of unknown files and detect malware before it can breach a system’s perimeter—or worm its way into a system’s antivirus.
DeepArmor was able to detect the Double Agent PE file as soon as it hit the user’s system with its Real-Time File Monitoring capability. At that time, DeepArmor’s automated threat handling jumped into action, immediately quarantining the binary before it could be executed on the system. DeepArmor also immediately alerted both the user and the administrator of this new threat vector.
DeepArmor was able to identify and block Double Agent because it has trained on hundreds of thousands of clean and malicious binaries, allowing it to identify similarities between the characteristics of Double Agent and those of previous hacking techniques.
This isn’t the first time DeepArmor has been able to catch threats traditional programs could not. Just last month, it experienced similar success with the ransomware Popcorn Time, which forced victims to either pay the ransom or infect two friends.
“These are exciting new developments not just for SparkCognition, but for cybersecurity in general,” says Bryan Lares, SparkCognition’s Director of Security Solutions. “Security has always been stuck playing catch up with malware, trying to react to new threats after the fact. But with machine learning, the whole playing field has changed.”
Threats in the vein of Double Agent and Popcorn Time show that hackers are targeting machines in increasingly advanced and creative ways. Artificial intelligence solutions like DeepArmor, however, are evolving faster, giving security systems the edge over malware for perhaps the first time in the history of computing.