‘Defender-Pretender’: How Researchers Undermined Windows Malware Security

A Black Hat briefing on a now-fixed vulnerability underscores an old lesson: ‘Trust no one.’

LAS VEGAS—The worst thing a malware countermeasure can do is not missing hostile code on a computer–it’s acting like malware itself. In a briefing at the Black Hat security conference here, two researchers showed how they compromised the Microsoft Defender security app so thoroughly that its resulting actions left a copy of Windows unbootable.

“We managed to update Defender with a fake, unsigned database from an unprivileged user,” summed up Omer Attias, security researcher at SafeBreach.

In today’s talk and in a recap published afterwards on SafeBreach’s blog, Attias and SafeBreach security-research VP Tomer Bar unpacked how they reverse-engineered the update mechanisms of the Microsoft security tool, then found a vulnerability that let them poison it with fake data. 

After a non-trivial amount of trial and error—“It turned out to be quite more complicated than we thought,” Attias said—the researchers discovered a way to bypass Microsoft’s digital-signature integrity checks. The trick was to overwrite validation fields in the unencrypted database files sent in each Defender update, one with a base list of every known malware threat and another containing the most recent changes.

In their first test, they used the “wd-pretender” app they wrote to delete records in those databases for a password-recovery tool named LaZagne that Microsoft classifies as a hacking tool. That left Defender fooled, allowing them to download that application without interruption.

Next, they took aim at Defender’s “FriendlyFiles” list of executables known to be safe and overwrote an entry containing the hash value for a runtime library used by Oracle’s VirtualBox emulation software with the hash for a password-recovery tool called Mimikatz that Defender normally blocks. Result: Defender allowed them to download and run that app.

Step three was to game the system further by rewriting a record for the Emotet bot to include a string warning of DOS-mode incompatibility that appears in a wide variety of system files. That turned Defender into an insider-threat attacker, and its subsequent rampage left the host system dead. 

“The operating system will not reboot anymore, and this computer is completely dead,” Bar said.

He offered three lessons from this research project: “First one, trust no one”; “Even the most reliable security tools might be used as loopholes by the adversary”; and “Security vendors should always verify in any step of the process, that the trust was not broken." 

SafeBreach disclosed these findings to Microsoft, which promptly researched and confirmed them and then shipped an April update to Defender that fixes the validation vulnerability (CVE-2023-24934, as recorded in the government’s National Vulnerability Database). So if your PC has been getting Microsoft’s updates to Defender automatically, this risk was closed out before you ever knew about it.

Source