Endpoint/Device Security, Malware, Black Hat

‘Defender Pretender’ turns Windows’ malware protections against itself

Two men speak on a stage behind a podium reading 'Black Hat.'

LAS VEGAS — Windows Defender can be hijacked to ignore malware, falsely recognize benign files as malicious and even delete critical system files to render a machine inoperable, two Israeli researchers demonstrated at the Black Hat security conference here on Aug. 9.

Tomer Bar and Omer Attias of SafeBreach also introduced an automated tool called Defender Pretender that can replicate their attacks, as long as the version of the Microsoft Malware Protection Platform is earlier than 4.18.2303.8. The tool can be found at https://github.com/SafeBreach-Labs/wd-pretender. Microsoft catalogued the attack method as CVE-2023-24934 and patched the vulnerability in April.

"The lesson is 'Trust no one,'" said Bar, "even Microsoft's own processes. Digitally signed files are not always secure, and the signature update process of security programs could be used as an attack vector."

Inspired by the Flame state-sponsored malware of 2012, Bar and Attias wondered if they too could leverage the Windows Defender virus-signature update process to subvert a Windows system. But while Flame used a cryptographic collision to spoof a Microsoft digital signature, Bar and Attias raised the bar higher (or maybe lower) and set out to subvert Defender as an unprivileged user without special access or signatures.

"Our goal was to achieve similar capabilities WITHOUT a forged certificate," said Bar.

It wasn't easy, however. As you might imagine, Microsoft's endpoint-protection program is pretty well protected itself.

The researchers said they tore apart Defender's update engine, MPAM-FE.exe, and tried to subvert both its subroutine executable and an associated DLL file without success. Directly attacking its four virus-signature files — VDMs, in Microsoft-speak — didn't get very far, either. They were able to increment the version number of a VDM file and have Defender accept it but adding a single byte to the file borked the process.

However, after much trial and error, Bar and Attias noticed that the VDM files themselves underwent a merge process during each Defender update process.

Read more of SC Media's coverage from Black Hat 2023 here.

In an echo of Defender's distant origins as an anti-spyware program for Windows XP, the virus-update files are divided into virus-specific and spyware-specific VDMs, with a "base" file and a "delta" file for each.

The base files ship with major Defender updates, in this case version 1.391.0.0. The delta files are delivered by the frequent incremental updates and their version numbers match the "security intelligence" version number displayed in the Windows Security Center, in this case 1.391.3508.0.

The delta files contain only the most recent updates, which aren't in the base files. When the updates happen, the two files are merged so that Defender has a complete set of virus and spyware signatures. It turned out that the signature tables in the base and delta files were compressed, but not encrypted. (Microsoft has since fixed this process so that Defender now validates signatures.)

Bar and Attias figured out how to decompress the signature table, substitute or alter specific signatures, and then recompress the table in ways so that Defender's signature-merge process was none the wiser. They ran demonstrations onstage using virtual machines, first replacing the signature of the LaZagne password-finder with a fake one and showing that Defender no longer blocked the program.

Defender also has a whitelist of 30,000 "friendly" file signatures that are designated as benign. The researchers added the signature of the Mimikatz password-stealer to that list and showed that Mimikatz could now run without interference. Needless to say, such manipulation of virus signatures could open up a system to widespread infection.

But Bar and Attias weren't finished. To cap off their demos, they redefined the Emotet signature so that Defender would detect and remove Windows system files. Defender isn't supposed to run under DOS, but the researchers figured out a way, then showed how a command-line screen rapidly removed essential system files, after which the virtual machine tried and failed to reboot.

The SafeBreach researchers hope to apply this technique to gain local privilege escalation on a Windows system, but that's for another day.

Bar and Attias' Black Hat presentation slides can be viewed at https://i.blackhat.com/BH-US-23/Presentations/US-23-Tomer-Defender-Pretender-final.pdf.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.