Can you imagine Windows Defender being the reason behind a malicious attack?
This is exactly what two researchers from SafeBreach, Tomer Bar and Omar Attias, showcased during their talk at the Black Hat security conference 2023 in Las Vegas, U.S. Their goal was to compromise Windows Defender by hijacking the tool’s update process. This resulted in Defender being unable to acknowledge and attack malware as well as target system files that would render the machine unbootable.
How was such a feat accomplished?
After thorough inspection of the Windows Defender update process, the researchers were able to map out the actions taking place every time Windows Defender pinged the Windows Update Center for updates. They discovered that a single executable file called Microsoft Protection Antimalware Front End (MPAM-FE[.]exe) was returned. This MPAM file included additional executable files and Virtual Device Metadata (VDM) files, where these executable files would run as child processes when the MPAM file was executed. The VDM files were of two types, ‘Base’ and ‘Delta’, and contained numerous malware signatures.
The researchers uncovered that Windows Defender signature updates are the results of the merger of these two types of VDM files. After understanding the overall merge and validation process, they were able to bypass the integrity checks posed by Microsoft by overwriting the validation fields in the VDM files. The resulting process yielded a modified executable, containing a modified list of malware signatures, with a verified Microsoft signature.
What are some potential attack vectors?
During their presentation, the researchers showcased three types of attacks that can be performed by hijacking the update process of Windows Defender. The first attack vector would show the effect of removing malware signatures from the list of known signatures Windows Defender checks for. The tool ‘LaZagne’ was used, a well-known open-source application used for the retrieval of locally stored passwords which Windows Defender classifies as a threat. After updating Defender with the modified VDM files, the researchers showed that Defender was stumped, and the tool was downloaded successfully.
The second attack vector utilized a Windows Defender feature called ‘FriendlyFiles’. As the name suggests, this is a list of executables that Defender allows to be ran based on their hash algorithm value. Parsing this list, the researchers found the hash value for Oracle’s VirtualBox runtime library which they took and replaced with a known hash value of Mimikatz, another popular password recovery utility. After hijacking the update process, they were able to fool Defender into allowing the successful installation and execution of Mimikatz.
The third and last attack vector was a Denial-of-Service (DoS) attack, achieved by attempting to confuse Defender into deleting all portable executable (PE) files. This was achieved by altering an existing Emotet signature to contain the ‘Dos Mode Stub string’. This would show in PE files as a new malicious signature. If Defender came across the string ‘This program cannot be run in dos mode’ in the various operating system (OS) files, it would automatically assume they are malware and delete them. After the fake update, scanning the PC for malware will flag all PE files as malware of critical risk which prompts defender to delete them one by one leading to a permanent DoS, and .
Can these attacks be automated?
Yes, a fully automatic tool has been created called wd-pretender, which stands for Windows Defender Pretender. The Github repository for this tool is publicly available and includes information on possible attacks as well as a guide on how to utilize it.
Does that mean that my machine is vulnerable?
No, Microsoft was notified by the researchers immediately upon discovery of this vulnerability. Microsoft were able to confirm the find and act, by releasing an update for Defender to now require validation of the digital signature of the VDM files. The fixed version is Microsoft Malware Protection Platform version 4.18.2303.8.
As said by Tomer Bar, the two main takeaways from his talk are to “Trust no one. Even the most reliable security tools might be used as loopholes by the adversary”; and “Security vendors should always verify in any step of the process, that the trust was not broken”.
Presentation can be found here.