Windows Defender Vulnerability Allows Hijacking of Update Process
Introduction
At the Black Hat USA conference, researchers from SafeBreach revealed a security feature bypass vulnerability in Microsoft‘s Windows Defender. This vulnerability allows an unprivileged user to hijack the update process of Windows Defender and carry out various malicious actions on the targeted system. The researchers were able to exploit this vulnerability to sneak known malware into systems, delete signatures of known threats, delete benign files, and trigger a denial-of-service condition. The research highlights the potential weaknesses in security products and the need for organizations to continually assess the effectiveness of their security measures.
Background and Research Goals
The researchers at SafeBreach were inspired by the sophisticated Flame cyberespionage campaign that took place in 2012, where the attackers inserted themselves into the Windows update process to deliver malware onto infected computers. The goal of SafeBreach’s research was to replicate a similar attack without the need for a complex man-in-the-middle attack or a forged certificate. They aimed to determine if they could take over the Windows Defender update process as an unprivileged user.
Exploiting the Defender Update Process
By studying the Windows Defender update process, the researchers discovered that signature updates are contained in an executable file called the Microsoft Protection Antimalware Front End (MPAM-FE.exe). This file contains two executables and four additional Virtual Device Metadata (VDM) files with malware signatures in compressed form. The VDM files work together to push signature updates to Windows Defender.
The researchers found that two of the VDM files, called “Base” files, contained around 2.5 million malware signatures. The other two files, referred to as “Delta” files, were smaller but more complex. The Base file is the main file that Windows Defender checks for malware signatures during the update process, while the Delta file defines the changes that need to be made to the Base file.
Hijacking the Update Process
The researchers initially attempted to hijack the Defender update process by replacing one of the executables in the MPAM file with a file of their own. However, Defender detected that the file was not Microsoft-signed and stopped the update process. The researchers then decided to tamper with the Microsoft-signed VDM files to achieve their objectives.
Through their analysis, the researchers were able to identify malware names and associated signatures within the VDM files. They discovered that Windows Defender signatures are the result of merging data from the Base and Delta files. They also identified two specific numbers used by Defender for validation purposes.
Using this information, the researchers created a modified VDM file that allowed them to hijack the update process. They were able to make changes to VDM files that caused Defender to fail to detect threats like Conti ransomware and Mimikatz, even though it had signatures for them. They also demonstrated how they could sneak in Mimikatz on a system by replacing a hash on the “FriendlyFiles” list, which is an allow-list that Defender uses to identify benign files.
Additionally, the researchers tricked Windows Defender into deleting all portable executable files on a test machine by making Defender believe they were Emotet malware. This resulted in a denial-of-service condition on the test system.
Implications and Recommendations
This research highlights the potential vulnerabilities in security products, even those considered to be reliable like Windows Defender. The ability to hijack the update process and manipulate malware signatures poses a significant threat to the security of systems.
Organizations should take note that motivated attackers can always find ways to bypass security technologies. While Microsoft used digitally signed files during the update process, the Windows Defender vulnerability allowed validation checks to fail to detect subsequent changes to those files.
As a result, it is essential for organizations to continually assess the effectiveness of their security measures and conduct thorough research to ensure the security of signature update processes. This includes regularly testing security software and implementing additional layers of security, such as endpoint detection and response (EDR) systems.
Ultimately, the responsibility lies with both software vendors and organizations to protect against potential vulnerabilities. Software vendors must invest in robust security testing and ongoing updates to address vulnerabilities promptly. Organizations must prioritize proactive security measures and stay informed about the latest threats and vulnerabilities in order to effectively defend against potential attacks.
Keywords:
- Windows Defender
- Microsoft
- Endpoint Detection and Response (EDR)
- Cybersecurity
- Antivirus
- Threat Detection
- Endpoint Security
- Malware Protection
- Security Software
- Cyber Defense
<< photo by Pixabay >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Microsoft’s Bug Bounty Programs Continue to Pay Off, with $13 Million Paid Out in Fourth Consecutive Year
- “Can AI Outsmart Hackers? DARPA’s Ambitious Contest Aims to Find Out”
- Unraveling the Web: Enhancing DDoS Detection through Network Chaos Analysis
- 10 Ways to Demonstrate Your Organization’s Cyber Insurance Readiness
- Mallox Ransomware Group: Innovating Malware Variants and Evasion Tactics
- The Growing Threat of SkidMap Redis Malware and Its Targeting of Vulnerable Servers
- How Leveraging Randomized Data Enhances Security
- The Rise of Custom Yashma Ransomware: A New Threat to Cybersecurity
- Why Apple Users Can No Longer Ignore the Mac Attack
- Examining the Future of Cyberinsurance: Resilience Secures $100 Million to Enhance Cyber Risk Platform
- The Evolving Landscape of Cloud Security: Insights and Outlook for a $62.9B Market
- Embracing Threat Intelligence: A Vital Step to Staying Ahead in the SOC Race
- The Unseen Threat: Surge in Rootkit Attack Detections Sweeps UAE Businesses
- Endpoint Detection and Response Products: SE Labs Releases In-Depth Comparative Analysis
- “SaaS Ransomware: A New Dimension of Cyber Threats as Sharepoint Online Hit Without Compromised Endpoint”
- Exploring the Impact: Tanium Joins DHS CISA in Joint Cyber Defense Collaborative
- Bolstering Cyber Defenses: Agencies Sound Alarm on IDOR Bugs and Data Breaches
- Bolstering Cyber Defense: A Call to Action for Biden and Allied Nations
