ChatGPT didn\u2019t write this article \u2013 I did. Nor did I ask it to answer the question from the title \u2013 I will. But I guess that\u2019s just what ChatGPT might say. Luckily, there are some grammar errors left to prove I\u2019m not a robot. But that\u2019s just the kind of thing ChatGPT might do too in order to seem real.<\/p>\n
This current robot hipster tech is a fancy autoresponder that is good enough to produce homework answers, research papers, legal responses, medical diagnoses, and a host of other things that have passed the \u201csmell test\u201d when treated as if they are the work of human actors. But will it add meaningfully to the hundreds of thousands of malware samples we see and process daily, or be an easily spotted fake?<\/p>\n
In a machine-on-machine duel that the technorati have been lusting after for years, ChatGPT appears a little \u201ctoo good\u201d not to be seen as a serious contender that might jam up the opposing machinery. With both the attacker and defender using the latest machine learning (ML) models, this had to happen.<\/p>\n
Except, to build good antimalware machinery, it\u2019s not just robot-on-robot. Some human intervention has always been required: we determined this many years ago, to the chagrin of the ML-only purveyors who enter the marketing fray \u2013 all while insisting on muddying the waters by referring to their ML-only products as using \u201cAI\u201d<\/a>.<\/p>\n While ML models have been used for coarse triage front ends through to more complex analysis, they fall short of being a big red \u201ckill malware\u201d button. Malware just isn\u2019t that simple.<\/p>\n But to be sure, I\u2019ve tapped some of ESET\u2019s own ML gurus and asked:<\/p>\n Q. How good will ChatGPT-generated malware be, or is that even possible?<\/strong><\/p>\n A. We are not really close to \u201cfull AI-generated malware\u201d, though ChatGPT is quite good at code suggestion, generating code examples and snippets, debugging, and optimizing code, and even automating documentation.<\/p>\n Q. What about more advanced features?<\/strong><\/p>\n A. We don\u2019t know how good it is at obfuscation. Some of the examples relate<\/a> to scripting languages like Python. But we saw ChatGPT \u201creversing\u201d the meaning of disassembled code connected to IDA Pro<\/a>, which is interesting. All in all, it\u2019s probably a handy tool for assisting a programmer, and maybe that\u2019s a first step toward building more full-featured malware, but not yet.<\/p>\n Q. How good is it right now?<\/strong><\/p>\n A. ChatGPT is very impressive, considering that it\u2019s a Large Language Model, and its capabilities surprise even the creators<\/a> of such models. However, currently it\u2019s very shallow, makes errors, creates answers that are closer to hallucinations (i.e., fabricated answers), and isn\u2019t really reliable for anything serious. But it seems to be gaining ground quickly, judging by the swarm of techies poking their toes in the water.<\/p>\n Q. What can it do right now \u2013 what is the \u201clow-hanging fruit\u201d for the platform?<\/strong><\/p>\n A. For now, we see three likely areas of malicious adoption and use:<\/p>\n If you think phishing looked convincing in the past, just wait. From probing more data sources and mashing them up seamlessly to vomit specifically crafted emails that will be very difficult to detect based on their content, and success rates promise to be better at getting clicks. And you won\u2019t be able to hastily cull them due to sloppy language mistakes; their knowledge of your native language is probably better than yours. Since a wide swath of the nastiest attacks start with someone clicking on a link, expect the related impact to supersize.<\/p>\n Smooth-talking ransomware operators are probably rare, but adding a little ChatGPT shine to the communications could lower the workload of attackers seeming legit during negotiations. This will also mean fewer mistakes that might allow defenders to home in on the true identities and locations of the operators.<\/p>\n With natural language generation getting more, well, natural, nasty scammers will sound like they are from your area and have your best interests in mind. This is one of the first onboarding steps in a confidence scam: sounding more confident by sounding like they\u2019re one of your people.<\/p>\n If all this sounds like it may be way in the future, don\u2019t bet on it. It won\u2019t all happen all at once, but criminals are about to get a lot better. We’ll see if the defense is up to the challenge.<\/p>\n <\/p>\n BEFORE YOU GO: Writing like a boss with ChatGPT and how to get better at spotting phishing scams<\/a><\/em><\/p>\n <\/span><\/p>\n\n
\n
\n