Windows Defender Pretender Attack
Share this:
Microsoft has patched nearly 100 vulnerabilities in April 2023, and one among them was a security feature bypass vulnerability that allows an unprivileged user to hijack Windows Defender and use it to exploit the target systems. This was inspired by Flame espionage campaign that took place in Iran, way back in 2012.
Researchers now uncovered issues with Windows Defender during an attempt to take over the antivirus tool’s update process.
The primary goal is to verify if the update process could be used to introduce malware into systems through EDR. Researchers also wanted to verify if they could get Windows Defender to delete signatures of known threats and to delete benign files and trigger a DoS condition on a compromised system.
The researchers were able to achieve all the objectives and even develop an automated tool dubbed wd-pretender for Windows Defender Pretender that implemented each of the attack vectors. Microsoft assigned a CVE for the issue, and they discovered CVE-2023-24934 and issued a fix for it in April.
Researchers discovered that signature updates are typically contained in a single executable file called the Microsoft Protection Antimalware Front End (MPAM-FE[.]exe). The MPAM file, in turn, contained two executables and four additional Virtual Device Metadata (VDM) files with malware signatures in compressed but not encrypted form. The VDM files worked in tandem to push signature updates to Defender.
The researchers discovered that two of the VDM files were large sized “Base” files that contained some 2.5 million malware signatures, while the other two were smaller-sized, but more complex, “Delta” files. They determined the Base file was the main file that Defender checked for malware signatures during the update process, while the smaller Delta file defined the changes that needed to be made to the Base file.
Through the analysis, they found malware names and their associated signatures and where the strings began and ended. The two researchers found that Windows Defender signatures are the result of merging data from the Base and Delta files. They found Defender used a validation process to ensure data in the files hadn’t changed during or before the merge process and identified two specific numbers that Defender used for validation purposes.
By simply deleting the name of a specific malware threat from the Defender signature database, they were able to ensure Defender did not detect the threat.
The researchers found they could easily sneak malicious files into a system by labeling them as “FriendlyFiles,” which is basically an allow-list that Defender users to identify benign files. The researchers articulated the attack in such a way that whenever Defender encountered the string, “This program can not be run in dos mode,” something that is true of almost every single modern app. Defender would automatically delete them. The end result was complete denial of service on the test system, Tomer says.
While Microsoft used digitally signed files during the update process, the Windows Defender vulnerability meant validation checks failed to spot subsequent changes to those signed files, he says. Based on the potential for signature update processes to be exploited as a new attack vector, more research is needed to ensure the security of this process.
This research was documented by researchers from SafeBreach, Tomer Bar, and Omer Attias.
