IT researchers have discovered a malicious discovery of the machine learning model in embracing facial repository. The specific ML model found has opened a reverse shell on infected systems. Developers and interested parties may have data record and hug face Download pre-direct AI modelSuch as the “slimdd down” version of the AI model from Dipsek, Mistral or Quven, which can be used in weak hardware at home.
Advertisement
A Blog post of IT Safety Researchers of Reversinglabs “Nullifai” analyzes painted malware. They have been introduced to deadly actors to embrace the face with the manipulated AI model. You misuse an essential function, pickle file order, also called pickle. Pickle is a python module that is often used for the ordering and deserialization of ML model data. Pimple format is considered insecure as this ML model enables the python code during deserialization. Hugging face also indicates this danger in documentation.
Last malware recognition slipped
IT researchers faced two Hugging-facial models, including malignant codes and not marked by Hugging Face Security Mechanism as unsafe (“unprotected”). The examined ML model printed a proof-off-concept model to test this new type of attack. A screenshot has shown the scanning results of embracing the face: Protectai and Clamev have not found any problem, HF pickles apparently did not even recognize the file as a grain.
Two deadly files are available in the pytorch format, which is essentially a compressed pimple. By default, zip compression is used for this, but these models are compressed with 7Zs. It can create a pytorch standard function torch.load() They do not load them. IT researchers believe that HF pickle has therefore not marked the file as unsafe. Pickle is a very limited scanner anyway: it uses a blacklist of dangerous tasks; IT security experts from Checkmarx have also discovered other tasks that can take the code out, but cannot be found on this blacklist. Furthermore, pickle cannot analyze clearly defective pickles.
Because as another strategy of veiling, the object elelias in both files is faulty immediately after the deadly payload. It leads to errors when decomposing the object. With pre -known malware, the attackers also use the hiding location version to avoid detection through defective formats. They work in the target system as desired, but the safety software cannot be analyzed correctly by parsers.
For example, the IT researchers, what can do to the attackers by misusing IT researchers, examples, examples, execution of fatal orders, opening of network connections, manufacture of new procedures or access to cameras, microphones and file systems. . Concrete samples contain a reverse shell that is adapted to the platform that connects a hard-coded IP address.
IT researchers discuss other tests with which they have verified their research. However, you and the hug face have not been able to work as simple or tangible solutions for the pimple problem. It lives along the middle ground, which does not forbid pimples and is to analyze the grain files with the safety mechanism and to improve the scan continuously. At the end of the blog entry, there are still signs of an infection (indicators of compromise, IOCs).
(DMK)
