You Don't See Me - Abusing Whitelists to Hide and Run Malware

Presented at BSidesLV 2016, Aug. 3, 2016, noon (30 minutes)

This talk will outline a method for exploiting security software with a focus on unauthorized whitelisting. Many security products have the ability to permit or ignore a detected threat which ensures administrative override is available in the event a false positive is encountered. In most cases this requires user interaction by clicking a button labelled Accept/Ignore/Permit which tells the software to ignore this threat going forward. By learning how the application reads and writes these exemptions, we can uncover vulnerabilities that may lead to exploitation of these components. If an exploit can be found and written into a piece of malware, it's possible for the malware to whitelist itself without any interaction from the end user! Instead of being detected and quarantined, the malware is free to do its thing while the security software turns a blind eye. The flow of the presentation will start with talking about why whitelisting exists and various methods used by different products to achieve this. This part can be summarized as "everyone does it differently". The next part talks about the process to discover how the application handles exemptions including the steps, tools and techniques used. The last part talks about things to look for that may indicate a whitelist component is vulnerable to abuse and where to begin exploiting. The talk will borrow heavily from my professional work experiences as well as my personal side projects. To date, these methods have been applied to 5 different security products, 3 of which have successfully resulted in malware executing on the host after the successfully whitelisting itself. 1 product has been fixed, 1 is pending a fix and a third has yet to be reported. In the interest of responsible disclosure, I would like this talk to not include any product names and remain generic with a focus on the issue around abusing whitelists as opposed to specific proven scenarios.

Presenters:

• Michael Spaling - University of Alberta
  Trekkie, Lego fan and lover of all things sci-fi. I work at a large research intensive University located in Edmonton, Canada with a focus on operational security. During my downtime I enjoy making things work in ways that were never intended.

Links:

• https://bsideslv2016.sched.com/event/7ZXl/you-dont-see-me-abusing-whitelists-to-hide-and-run-malware

Similar Presentations:

• ShmooCon XI (2015) / Simple Windows Application Whitelisting Evasion
• DeepSec 2015 „DeepSec No. 9“ / A Case Study on the Security of Application Whitelisting
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab