App Review Microsoft Defender- A Possible Future

[cruelsister]

Content source

https://www.youtube.com/watch?v=kOrDPisiE4M

A view of some of the mechanisms by which Malware Droppers work:

1). Unlike a Malware Downloader which needs to network access to connect to a server to acquire a malicious payload, in a Dropper the payload is obfuscated within the Dropper itself and then unpacked and moved onto the target drive. I've used 7zip to simulate this unpacking as it parallels what actually occurs.
2). Program Data is a preferred place for a Dropper to unpack the payload as it is by Default a Hidden Directory. This makes it more difficult for a malicious file to be spotted; important for malware such as this (termed a Persistent Dropper) as the malware is to remain on the system to be activated later through a Scheduled Task.
3). The inclusion of a routine to deactivate UAC is almost a given for malware droppers.

 

[Andy Ful]

I do not like the possibility of excluding the paths by the attacker, even if it is not commonly used in the wild against home users.
This method can invalidate AV protection, but it is hard to test how effective it could be in widespread (automated) attacks. There are some additional factors that must be taken into account:
1. It is usually easier and more efficient to use a new 0-day (morphed) variant, than creating a loader and finding an older malware (X.exe in the video) that can bypass the AV behavior-based protection.
2. We must be certain that the X.exe (older malware) can bypass the AV behavior-based protection. This can be tested, but the AV can learn during the test. So, the test can increase malware detection (by behavior).
3. After some time, the AV can behaviorally detect the initial malware loader, even if the X.exe is executed from the excluded folder.

In targeted attacks, the above points can be less important. So it would be interesting to test how efficient this method could be.

 

[cruelsister]

I do not like the possibility of excluding the paths by the attacker, even if it is not commonly used in the wild against home users.

This mechanism would indeed target specifically the Home User. It goes after the lowest hanging fruit, namely those who solely rely on Defender (the Defender Is Enough crowd).

 

[Andy Ful]

This mechanism would indeed target specifically the Home User. It goes after the lowest hanging fruit, namely those who solely rely on Defender (the Defender Is Enough crowd).

It can be not the lowest-hanging fruit due to points 1-3 from my previous post.

If you recall, I used a similar and far more devastating attack vector to test Defender:
loader/orchestrator ----> UAC bypass ----> kill Defender ----> run any malware (even 10 years old).

Advice Request - Windows Defender disabled by malware

After making several successful POCs and submitting them to Microsoft, I noticed the first signs of Defender's behavior-based detections. One of the executables involved in the UAC bypass is recognized as malicious (I did not submit it to Microsoft). That is good. But, after doing some...

malwaretips.com

The fruits in this attack were placed much lower compared to the attack from the video, especially against home users - points 1-3 were bypassed too. The attack vector was well-known for years, and was probably never used in widespread attacks. Currently, killing Defender in this way is not possible because of improved Tamper Protection. Microsoft did it, because read teams included this method in their arsenal in the summer of 2021.

 

[Andy Ful]

I can see the "exclusion vulnerability" as an unpleasant possibility, but currently not a danger for home users. Of course, it is still "fruit" so may be used in the attacks. I wish that Microsoft will close this vulnerability until it will hurt home users. The threat landscape evolves, so more and more home users are vulnerable to semi-targeted attacks (like in the Magniber campaigns).

 

[ForgottenSeer 69673]

Does this malware attack then try call out every 60 seconds to share the stolen data/ so only x.exe needs outbound access/

 

[Malleable]

Why do you believe is the main reason MS doesn't address blatant shortcomings in Defender? They certainly have the talent and financial resources to do so. Might it be because spinoff negative effects such as disrupting some other process(es) until corrected may annoy the casual user who probably comprises the bulk of Defender's end users as mentioned above? Or is it because like most other gargantuan organizations their wheels grind slowly despite the nimbleness of the malware crowd and any new coding may give rise to new, unforseen vulnerabilities the current crop of code checkers haven't caught up with yet? Is it MS wanting to save the good stuff for their corporate clients who pay for it? Something else?

 

[cruelsister]

Does this malware attack then try call out every 60 seconds to share the stolen data/ so only x.exe needs outbound access/

The payload in this video does not need Network access at all (as it isn't a stealer) and will do damage whenever run. In the previous video the payload was a stealer which did use the network to transmit stolen data.

I just wanted to contrast the malware- X is a Murderer while in the last video the malware was a Thief.

 

[Andy Ful]

Why do you believe is the main reason MS doesn't address blatant shortcomings in Defender?

Currently, MS does not recognize such attacks as dangerous on the basis of the collected telemetry. The attack uses a particular UAC bypass, so the first reaction will be to prevent it. The usual reaction is to ignore a problem until the moment when the attack vector becomes too popular in the wild. This is my reflection after testing the kill-Defender POC.

 

[ForgottenSeer 97327]

A view of some of the mechanisms by which Malware Droppers work:

1). Unlike a Malware Downloader which needs to network access to connect to a server to acquire a malicious payload, in a Dropper the payload is obfuscated within the Dropper itself and then unpacked and moved onto the target drive. I've used 7zip to simulate this unpacking as it parallels what actually occurs.

3). The inclusion of a routine to deactivate UAC is almost a given for malware droppers.

1. That is why people should not install an unzipper which extracts executables with MOTW, use Windows default instead.
3. Running SUA is security border, using UAC on Admin is not a security border.

Agree Microsoft has an ambiguous approach towards implementing security and facilitating workarounds for hard core admin users. The Android, Apple and Linux based OS-es show how easy it can be when the OS enforces secure usage and rights separation. I don't install software as a hobby and run SUA without problems since 2019. All Microsoft software updates without needing elevation. But there are sadly enough developers which create software making it a hassle to run SUA.

My wife uses off-line photobook software (because it has more editing options than the on-line version). That application installs in user folders and creates a profile for the current user (and refuses to update with '"run as admin" because another profile is active). That application only updates once or twice a year and refuses to run in SUA after it has found an update. My wife only uses it once or twice a year, but nearly every time she wants to create a new photo book, it refuses to run. Then I need to give her SUA user Admin priviledges, update the !@#$ photobook application and set het user back to SUA again. I understand that people might be temped to run Admin, but this hassle only occurs once or twice a year.I know PSIEXEC has an option to run as admin with another profile, but I am to lazy to figure that out.

I really like your videos, they show that no matter how many layers security enthousiasts install on Admin, there are always workarounds possible given the holes (in default) Microsoft (Defender) protection and the bugs every software has (of which some can be misused in a predictable manner). They are a motivation to run SUA (and default deny), thanks

 

[Andy Ful]

1. That is why people should not install an unzipper which extracts executables with MOTW, use Windows default instead.

Currently, it is possible to set 7-ZIP to preserve MOTW, like in Windows default unpacker. Also, the MOTW is preserved now when extracting files from ISO images. So, many attacks via EXE or MSI files can be prevented by SmartScreen for Explorer.

That application only updates once or twice a year and refuses to run in SUA after it has found an update.

In most cases, it is better to block auto-updates for desktop applications on SUA, except those performed via scheduled tasks. So, the user does not have a problem with UAC prompts. For most applications, the updates can be done once a year. So, it is possible to choose one day and manually update all of them.

 

[WhiteMouse]

3. Running SUA is security border, using UAC on Admin is not a security border.

I read Microsoft official documents and haven't found anything about SUA is better than UAC(max) on Admin.

 

[Andy Ful]

I read Microsoft official documents and haven't found anything about SUA is better than UAC(max) on Admin.

It is better. Bypassing SUA usually requires bypassing isolation between different accounts. The UAC (also max) on Admin does not change the account. See for example:
https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-1.html
https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-2.html
https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-3.html

Edit.
There were some UAC bypasses in the wild that worked with UAC on max on Admin and did not work on SUA.
I know one example that still works. It is blocked by Defender, but I am not sure if all AVs block it too. I tested the bypass a few minutes ago - here is the info from the ConfigureDefender log:

*************************************************************************
*************************************************************************
Event[0]:
Time Created : 27.12.2022 12:50:02
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Produkt Program antywirusowy Microsoft Defender wykrył złośliwe oprogramowanie lub inne potencjalnie niechciane oprogramowanie.
Aby uzyskać więcej informacji, zobacz:
Behavior:Win32/UACBypassExp.ZI threat description - Microsoft Security Intelligence
Nazwa: Behavior:Win32/UACBypassExp.ZI
Identyfikator: 2147766807
Ważność: Poważny
Kategoria: Podejrzane zachowanie
Ścieżka: behavior:_process: C:\Windows\System32\reg.exe, pid:10116:145905084353834
Pochodzenie wykrycia: Nieznane
Typ wykrycia: Konkretne
Źródło wykrycia: System
Użytkownik: ZARZĄDZANIE NT\SYSTEM
Nazwa procesu: Unknown
Wersja analizy zabezpieczeń: AV: 1.381.1184.0, AS: 1.381.1184.0, NIS: 1.381.1184.0
Wersja aparatu: AM: 1.1.19900.2, NIS: 1.1.19900.2

*************************************************************************
*************************************************************************

 

[Malleable]

Currently, MS does not recognize such attacks as dangerous on the basis of the collected telemetry. The attack uses a particular UAC bypass, so the first reaction will be to prevent it. The usual reaction is to ignore a problem until the moment when the attack vector becomes too popular in the wild. This is my reflection after testing the kill-Defender POC.

I guess they feel there's enough on their plates at any given moment and have no choice but to prioritize.
Thanks.

 

[ForgottenSeer 97327]

1. Currently, it is possible to set 7-ZIP to preserve MOTW, like in Windows default unpacker. Also, the MOTW is preserved now when extracting files from ISO images. So, many attacks via EXE or MSI files can be prevented by SmartScreen for Explorer.



2. In most cases, it is better to block auto-updates for desktop applications on SUA, except those performed via scheduled tasks. So, the user does not have a problem with UAC prompts. For most applications, the updates can be done once a year. So, it is possible to choose one day and manually update all of them.

1. Did not know that. Unzippers extracting applications from the internet without explicit allow from user (remove MOTW), are a no go for me. Using Windows default would have failed CruelSister's demo right at the start as you explained (but that would have taken the fun out of CruelSister's video, look Windows works).

2. Yes, but this application does not has an option to stop updating. At start it looks for new (photobook) templates and downloads these new products. When I deny it to go outbound with WFW it also refuses to start.

I read Microsoft official documents and haven't found anything about SUA is better than UAC(max) on Admin.

It was explicitly mentioned over and over again when Microsoft introduced UAC on Vista (that UAC was not and SUA was), UAC is seperation between user mode and admin mode. UAC does provide user mode security advantages, but is a soft border (same user), opposed to SUA which is a hard border (different user boundery).

Spoiler: Microsoft Security boundaries

@WhiteMouse Your avatar is not a white mouse, but a golden (or Syrian) hamster

 

[Andy Ful]

2. Yes, but this application does not has an option to stop updating. At start it looks for new (photobook) templates and downloads these new products. When I deny it to go outbound with WFW it also refuses to start.

It is not a problem for you (1 application only). But, if there were more such applications then each update must be downloaded somewhere and then executed. In many cases, the downloaded updater can be blocked by path.
What concrete photobook uses your wife?

 

[likeastar20]

@Max90

GitHub - nmantani/archiver-MOTW-support-comparison

Contribute to nmantani/archiver-MOTW-support-comparison development by creating an account on GitHub.

github.com

 

[ForgottenSeer 97327]

What concrete photobook uses your wife?

Albelli photobook offlinevWindows

 

[Andrezj]

This mechanism would indeed target specifically the Home User. It goes after the lowest hanging fruit, namely those who solely rely on Defender (the Defender Is Enough crowd).

but the argument is that for those users that do not download anything, defender is enough
when defender is recommended as enough here, it is meant within the general idea that mt members are, on the average, experienced enough to know better and practice safer habits
i have only ever seen one mt member report that they got badly infected, and that was a ransomware that was not detected or stopped by eset

looking at the user problem and the malware problem, the average home user is best served by a combination of automation, virtualization and a backup solution
no alerts, can rollback the system, and can restore the entire system if required
these can all be had in different variations, either free or paid

the reality, most users that go searching for something above defender are going to choose an internet security suite

 

[ForgottenSeer 69673]

The payload in this video does not need Network access at all (as it isn't a stealer) and will do damage whenever run. In the previous video the payload was a stealer which did use the network to transmit stolen data.

I just wanted to contrast the malware- X is a Murderer while in the last video the malware was a Thief.

I am sorry. i am getting videos messed up again.
The 11th commandment says, thou shalt not run any exes. Right

And thou shalt not run batch, script or MSI files lol