![]() ![]() This gave us our first clue that we were headed in the right direction. We initially achieved some success when we were able to update an older VDM file (without modifying any of the data) and make Defender believe that it was a new version of that file. Next, we decided to turn our attention to the VDM files. When we tried to run the update process, it failed because Defender determined that mpenginedll was NOT signed by Microsoft and that it could not run the update. We first decided to replace the mpenginedll with our fake mpenginedll file in the hopes that Defender would relinquish control of it to us. We also discovered that Microsoft has digitally signed every file in the CAB file to prevent tampering with the update process. After studying each file in further detail, we were able to understand how the Base and Delta VDM files are used to push new signature database updates to Windows Defender. We observed that there were two types of VDM files: Base and Delta, with the primary difference being their size. We originally assumed that they were special data files that contained detection signatures. However, they cannot be executed as they include no code logic. The VDM files are portable executable files. We initially did not know much about the VDM files but soon discovered their importance in our research. Upon executing the MPAM file, we discovered that it also executed the MpSigStub file as a child process to download the updates. ![]() Upon downloading and analyzing the MPAM file, we discovered that it included a cabinet (CAB) file that contained two executables – mpenginedll and MpSigStubexe, and four files with VDM extensions. If an update is available, it is typically returned as a single executable file called Microsoft Protection Antimalware Front End (MPAM-FEexe). We found that Windows Defender periodically pings the Microsoft Update Center and checks for any new signature definition updates. To determine our best course of action, our first step was to comprehensively understand the Windows Defender update process. The Research Process Understanding the Windows Defender Update Process We also wanted to accomplish this without running complex MITM attacks, without a forged certificate, and as an unprivileged user. We began to wonder if it would be possible to similarly hijack the Windows Defender update process and potentially breach the Windows Defender product to control it to further malicious goals. They were then able to deliver malicious updates and use this access to maintain persistence on the affected machines. They were able to successfully hijack the Windows update process and redirect update requests from infected computers to their own servers. In 2012, researchers from Kaspersky Lab discovered Flame malware that state-sponsored threat actors were leveraging to exploit the Windows update process using sophisticated MITM attacks. The inspiration for our research came from one such observation: Flame malware. SafeBreach Labs delivers cutting-edge vulnerability and cybersecurity research based on real-world insights and observations of “in-the-wild” attacks. Finally, we will highlight the vendor response and identify how SafeBreach is sharing this information with the broader security community to help organizations protect themselves. ![]() We will also provide an overview of the attack vectors we used to validate our findings. We will then explain the research process that led us to successfully exploit the Windows Defender update process to deliver malicious updates and maintain persistence on affected systems as an unprivileged user without possessing a forged certificate or executing a sophisticated man-in-the-middle (MITM) attack. Below, we will provide a high-level overview of the background information that served as the foundation for our latest discovery. We first presented this research at Black Hat USA 2023 and are sharing it with the broader security community in this post. As part of our recent research efforts, we discovered a vulnerability in the Windows Defender update process that could effectively allow an unprivileged user to take full control of the Windows Defender tool and leverage it for future malicious activities. The SafeBreach Labs team is committed to conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. Authors: Tomer Bar, VP Security Research, SafeBreach | Omer Attias ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |