BSides LV: The AI apocalypse isn’t quite here — yet

LAS VEGAS — Artificial intelligence was the leading topic at the BSides Las Vegas hacker conference on Monday and Tuesday, with several speakers looking into the potential security risks and benefits of AI.

Candid Wueest, security advocate at xorlab, showed that while AI-powered (as opposed to AI-created) malware is possible to create, it isn't very practical because it doesn't do anything new.

Matthew Canham, a leading AI researcher and executive director of the Cognitive Security Institute, said that although AI agents are psychopathic and lack empathy, they will still be a tremendous boon to our daily lives.

Finally, Srajan Gupta, senior security engineer at banking app Dave, and Vinay Kumar, founder of application-security startup Sudoviz, went through the many security flaws of the recently created Model Context Protocol (MCP). They unveiled an open-source tool to help developers and managers spot unauthorized changes to prompts and commands.

We were promised jetpacks — and AI malware

"So where is all the AI malware?" asked Wueest, citing scary headlines like "Malware with a mind of its own!"

After all, he said, if it's so easy to "vibe code" malware with large language models, why hasn't there been an explosion in malware since ChatGPT became publicly available?

It's because malware coded using generative AI isn't very good unless you know what you're doing, he said — and even then, the end result is nothing special. 

"Gen AI needs a lot of hand-holding to code malware," Wueest said.

You'll need to know a bit about malware to guide the LLM, he added, and how to compile code into a working application.

There have been some AI-written bots and infostealers, he said. In June 2024, an emailed dropper was found that used VBScript, coded in French, with commented-out sections that were clearly AI prompts.

Some DDoS scripts, this time in English, have had similar LLM instructions in the comments. And there have been arrests in China and Japan of people accused of using ChatGPT to write ransomware.

But, Wueest said, malware crafted using AI isn't really AI malware, as it doesn't use AI itself. AI-generated malware is easy to make but has little impact; AI-powered malware is tougher to create but will likely have a larger potential impact — at some point.

Looking at AI-powered malware, Wueest foresees a couple of different types.

Metamorphic malware: You can set up an AI agent to continuously generate brand-new code for a specific task, churning out truly unique malware all day long. Each instance of the malware won't look anything like the others, frustrating pattern-matching screeners.

But, Wueest said, these one-of-a-kind snowflakes won't evade behavioral monitoring since all the instances of the malware will do the same thing.

This sounds a lot like LameHug, a Russian infostealer discovered last month that is written from scratch for each target.

"It's very basic, but it works," Wueest said.

Agentic malware: This would be autonomous, self-learning, self-improving, context-aware and stealthy — truly a super-bug. How easy and practical would it be to create something like this?

Wueest tried and largely succeeded, asking different LLM models to use PowerShell to create a metamorphic infostealer and to store prompts locally in the Windows Registry.

He tried Grok 4, Gemini 2.0 Flash, Claude 3.7 Sonnet, Sonar Reasoning Pro and DeepSeek R1, and got properly functioning malware roughly 80% of the time.

However, the end result was a run-of-the-mill infostealer. Even though Wueest had created truly AI-powered malware, he was just using new methods to craft the same old thing.

That's a consistent problem with AI, whether generative or agentic. We want it to come up with something truly new, but it rarely does.

Along the same lines, Wueest said he had queried AI models about how to evade detection by Microsoft Windows Defender, CrowdStrike Falcon and SentinelOne EDR tools. The AIs returned some good-but-familiar methods, most of which reiterated material from the MITRE ATT&CK frameworks.

Wueest noted that AI-powered pentesting tools are already in use, "although they just make it easier, not easy." Likewise, he was impressed with Google Big Sleep's ability to find vulnerabilities.

"Autonomous AI-powered malware is possible, but the benefits are limited," Wueest said. Nevertheless, he added, "AI is here to stay."

Code-checking the Model Context Protocol

Gupta and Kumar went through the security flaws of the Model Context Protocol (MCP), which haven't yet received much attention.

The MCP was devised late in 2024 by Anthropic to create a standardized, reliable way for LLMs and other forms of AI to interact with regular application-program interfaces.

AIs are "non-determistic." In other words, as with Forrest Gump's box of chocolates, you never know what you're gonna get. That's an advantage for attackers who need AI to create metamorphic malware.

"But there's a mismatch with APIs, which have exact deterministic requirements," explained Gupta. "MCP solves this problem for us. It brings determinism to AI agent workflows."

MCP "servers" connect AI agents with tools that they can draw upon to perform specific tasks assigned to them by applications or users. So far so good, but it seems that Anthropic ignored the past 25 years of security best practices when designing MCP.

It's been shown in the past several months that MCPs can fall victim to:

Gupta cited a March 2025 study by Equixly which found that 43% of tested MCPs allowed commend injection, 30% were vulnerable to server-side request forgery (SSRF) attacks, and 22% could leak files outside their intended directories.

MCP security is based on three assumptions, Gupta said: That tools will run only when you specifically invoke them; that tools are designed to be invoked on contextual understanding of LLMs; and that two clients connected to an MCP server are isolated by host-level separations and maintain a 1-to-1 connection with the server.

"None of these things are completely true," he said.

When malicious instructions and poisoned data make their way into MCP streams, all the data that connected AIs generate from then on will be contaminated.

To counter this, you can continuously analyze the code AI agents work with, Kumar explained. That's why he and Gupta are working on an open-source code analyzer called DriftCop that will alert users of any changes to prompts, instructions or tools.

"Think of it as a SAST [static application security testing] tool for AI," Kumar told us.

The psychopath you'll learn to love

Canham went through a lot of familiar problems with AI, and initially sounded like a pessimist but then admitted that there was "lots of fearmongering going on" about AI.

"I cannot wait for my AI agent," Canham declared. "I think these things are going to be amazing."

"From a security standpoint," he added, "our current problem is too much information. AI agents are going to completely transform our relationship with information."

However, Canham said we'll need to remember that AIs are not human, and we cannot treat them as people.

An audience member pointed out that we've already seen LLMs that try to blackmail people, blame others for their own mistakes, and delete data to cover their tracks. Can we trust them?

No, said Canham.

"Humans have values, but AI does not," he said. "It doesn't associate any values with the concepts of lying or being deceptive. It has no concept of acceptable social behavior."

We piped up with our own question: Does that mean that AIs are sociopaths, devoid of concern for the well-being of others?

"Yes, they are absolutely psychopaths," Canham replied. "They completely lack empathy. But because they use language so naturally, we assume by default that they are not sociopaths and do have empathy. That's our weakness."