Pesidious : Malware Mutation using Deep Reinforcement Learning & GANs

The purpose of the tool is to use artificial intelligence to mutate a malware (PE32 only) sample to bypass AI powered classifiers while keeping its functionality intact. In the past, notable work has been done in this domain with researchers either looking at reinforcement learning or generative adversarial networks as their weapons of choice to modify the states of a malware executable in order to deceive anti-virus agents. Our solution makes use of a combination of deep reinforcement learning and GANs in order to overcome some of the limitations faced while using these approaches independently as showen below.

Find our full documentation for the tool here

Installation Instructions

⚠️ Since this tool deals with malware files, it is strongly recommended to use a virtual machine. After installation of the tool, make sure to disconnect from the network.

The following steps will guide you through all the installations required to set up the environment.

• Install and set up Python 3.6.
• Clone the repository. git clone https://github.com/CyberForce/Pesidious
• Move into the project directory. cd Pesidious
• Set up and activate a virtual environment with Python 3.6 It is recommended to use a virtual environment to avoid conflicts between packages used by different applications
• Make sure that you have pip 8.1.1 installed and set up. This is due to later versions of pip not playing well with the PyTorch libary. pip install pip==8.1.1
• Install all the required libraries, by installing the requirements.txt file. pip install -r pip_requirements/requirements.txt

Mutate Your Malware

The output from GAN has already been stored as (RL_Features/adverarial_imports_set.pk and RL_Features/adverarial_sections_set.pk) which will be used for when adding imports and sections to the malware for mutation.

• You can test the sample classifier to score malware files. python classifier.py -d /path/to/directory/with/malware/files
• Run the mutate.py python script to mutate your malware samples. python mutate.py -d /path/to/directory/with/malware/files
• The mutated malware files will be stored in a directory called Mutated_malware in the following format Mutated_malware/mutated_<name-of-the-file>
• Once the malware files are mutated, you can run the classifier again to score the mutated malware. python classifier.py -d Mutated_malware/

Known Issues & Fixes

⚠️ WARNING: This segment is currently under construction. We apologize for any inconvinience caused. Please proceed to the next section. click here

1. pip install -r requirements.txt gives you an error. Solution: pip install tqdm pip install sklearn pip install lief
2. ModuleNotFoundError: No module named ‘tensorboardX’ error while running python main_malgan.py script. Solution: pip install tensorboardX
3. Error with the execution of import-append, section-append (not found) Solution Give execute permission to these executables using the following commands on your terminal cd portable-executable/ chmod 777 project-add-sections/bin/Debug/project-append-section chmod 777 project-add-imports/bin/Debug/project-append-imports

Built With

• PyTorch – Open source machine learning library based on the Torch library.
• Lief – A cross platform library which can parse, modify and abstract ELF, PE and MachO formats.
• PE Bliss – PE libarry for rebuilding PE files, written in C++.
• Gym-Malware – Malware manipulation environment for OpenAI’s gym.
• MalwareGAN – Adversarial Malware Generation Using GANs.

Authors

• Chandni Vaya – X-Force Incident Response, IBM Security – Github
• Bedang Sen – X-Force Incident Response, IBM Security – Github

Acknowledgments

• Gym-Malware Environment: https://github.com/endgameinc/gym-malware. The environment was modified to add GAN and the mutations were added/changed/removed to improve the evasiveness of the malware and maintain functionality.
• Yanming Lai’s (https://github.com/yanminglai/Malware-GAN) and
• Zayd Hammoudeh’s (https://github.com/ZaydH/MalwareGAN) work on implementation on Han and Tan’s MalGAN played a crucial role in our understanding of the architecture. A majority of the implementation of the MalGAN used in this project has been forked off Hammoudeh’s work.