Captain Hook: Pirating AVs to Bypass Exploit Mitigations

Presented at Black Hat USA 2016, Aug. 3, 2016, 4:20 p.m. (50 minutes)

Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.

In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures.

Presenters:

• Tomer Bitton - enSilo
  Tomer Bitton is VP of Research at enSilo. Tomer has over 12 years of experience in security research. Tomer focuses on original research such as malware reversing, hostile code and extreme packers. In his prior role, Tomer served as a low-level security researcher at the National Electronic Warfare Research & Simulation Center of Rafael Advanced Defense Systems. There, he won excellence and innovation awards for complex security projects. Before that, Tomer managed the security content team at Imperva. Previous roles included a security researcher at Radware and a senior malware researcher at RSA Security.
• Udi Yavo - enSilo
  Udi Yavo has more than 15 years of experience in cyber-security with a proven track record in leading cutting edge cyber-security R&D projects. Prior to enSilo, Udi spearheaded the direction of the cyber-security unit at the National Electronic Warfare Research & Simulation Center of Rafael Advanced Defense System and served as its CTO. Additionally, he developed and led Rafael's cyber training programs. Udi's achievements at Rafael have been recognized, winning him excellence and innovation awards on complex security projects. Prior to Rafael, Udi served as a system architect at the IDF. He holds a BA in Computer Science from the Open University.

Links:

• https://www.blackhat.com/us-16/briefings.html#captain-hook-pirating-avs-to-bypass-exploit-mitigations
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Captain Hook - Pirating AVS to Bypass Exploit Mitigations.mp4
• https://www.youtube.com/watch?v=jakv68viVYc
• https://www.blackhat.com/docs/us-16/materials/us-16-Yavo-Captain-Hook-Pirating-AVs-To-Bypass-Exploit-Mitigations.pdf
• https://www.blackhat.com/docs/us-16/materials/us-16-Yavo-Captain-Hook-Pirating-AVs-To-Bypass-Exploit-Mitigations-wp.pdf

Similar Presentations:

• VB2016 / (In-) Security of Smartphone AntiVirus and Security Apps
• BSidesSF 2016 / Sedating the Watchdog: Abusing Security Products to Bypass Windows Protections
• AppSec USA 2015 / Security as Code: A New Frontier