‘Defender-Pretender’: How Researchers Undermined Windows Malware Security
LAS VEGAS—The worst thing a malware countermeasure can do is not missing hostile code on a computer–it’s acting like malware itself. In a briefing at the Black Hat security conference here, two researchers showed how they compromised the Microsoft Defender security app so thoroughly that its resulting actions left a copy of Windows unbootable.
“We managed to update Defender with a fake, unsigned database from an unprivileged user,” summed up Omer Attias, security researcher at SafeBreach.
In today’s talk and in a recap published afterwards on SafeBreach’s blog, Attias and SafeBreach security-research VP Tomer Bar unpacked how they reverse-engineered the update mechanisms of the Microsoft security tool, then found a vulnerability that let them poison it with fake data.
After a non-trivial amount of trial and error—“It turned out to be quite more complicated than we thought,” Attias said—the researchers discovered a way to bypass Microsoft’s digital-signature integrity checks. The trick was to overwrite validation fields in the unencrypted database files sent in each Defender update, one with a base list of every known malware threat and another containing the most recent changes.
In their first test, they used the “wd-pretender” app they wrote to delete records in those databases for a password-recovery tool named LaZagne that Microsoft classifies as a hacking tool. That left Defender fooled, allowing them to download that application without interruption.
Next, they took aim at Defender’s “FriendlyFiles” list of executables known to be safe and overwrote an entry containing the hash value for a runtime library used by Oracle’s VirtualBox emulation software with the hash for a password-recovery tool called Mimikatz that
Read more on pcmag.com
