You Don't See Me: Abusing Whitelists to Hide and Run Malware

is that good no they're perfect even better okay so yeah my name is Michael spalling I work at the University of Alberta up in Edmonton Canada and if you've never done security at a large research university things things get pretty interesting one of these that we joke about is our production networks are just a bad guys test environments and despite joking about that it's the sad reality of it I've been there for about six years mostly in a security operations role I work on a small team that's responsible for things like firewalls intrusion prevention systems incident response a shameless plug but a lot of that actually gonna be changing about three weeks ago I accepted a

promotion to team lead so now I'm gonna be leading the team that I've been working on in security for the last six years so looking forward to whatever opportunities that that brings up and you know I got kind of interested in vulnerabilities and exploits a little over a year ago I attended a conference in Vancouver called Cannes a quest and it just blew my mind wide open in regards to what what can actually go wrong with a computer and what people are really capable of hacking and ever since then I was like I that's interesting I really want to get involved in this so I started kind of digging around and one of the things

that I did last year is gonna be the presentation of ORS what I'm presenting now and yeah it's also my first national talk I've done quite a bit of talks at the University campus and just a local user groups in Edmonton but this is my first time talking at a conference like this so really excited and on the bottom those those are things I like if you like those things too then there's things to talk about and the picture if anybody plays a World of Warcraft that's proof that my wife actually let me bring Frostmourne to our wedding and get it in the photos so there we go so this is just a quick agenda here's here's what

we're gonna talk about a little bit about just some background really why why you should care about this whitelist abuse is actually kind of cool and fun I think and then we're gonna go on a whitelisting tour so I'll show you guys what I've been covering in different security products in the last year not necessarily vulnerabilities in a lot of them but just just differences and really what it comes down to is that everything is done differently there really are no standards or agreed-upon best practices for how to implement the whitelist so you'll see that pretty quickly when it's dine me I'm going to end the white listing tour on one specific issue that I found in two

products that I'm then going to demo so I've got a live demo plan there's a VM setup here so if any of you have beer just chug it now for the demo gods because it's probably gonna go to hell and the second one is pre-recorded the first one is against the product called as a mana ante lager maybe you guys are familiar with it the second one is against malwarebytes so I disclosed this issue to malwarebytes last year they paid a thousand dollar bounty for it and I'll show you guys what happens so I thought that was pretty neat and if there's time we'll do a Q&A at the end so if if you're interested in this type of stuff

there is some research going on this area to people notably typhus or Mandi from Google's project zero and oxygen Cora these guys have been doing some really really interesting things with breaking security software so it's not unexpected but I think it's hilarious that the actual software that's designed to protect you in itself has flaws that can actually lead to your own compromise so follow these guys and read up some of the research it's really cool to what they were doing the other thing that's out there are just white listing products so things like a blocker McAfee application control what what these software is designed to do is instead of focusing on what is bad and identifying

that I'm blocking it where these programs you just define what's good and then only good is permitted everything else is is is restricted so I thought to myself when I wanted to start getting involved in this area what if I just combine those two let's just start there you got to start somewhere so what if I just started by looking for vulnerabilities in security products ability to whitelist and it turns out there are actually that's that's a thing so first of all why why should we care why even abused whitelist in the first place pretty straightforward whoever controls that whitelist controls what's permitted right that's that's something that should only be done by a trusted user or

a system administrator or something you're bad guys should not be able to control your whitelist if a bad guy controls your whitelist they control what's permitted into your environments and now you've got a problem so how are we going to be doing this well we're gonna start looking for potential why are weaknesses in whitelisting implementations and when we find one believe it or not it's actually possible in some cases to replace the white list with a white list of our own and I'll show you I'll show you that go on here so the only tool you need to do this to really get started is process monitor if you've never used process monitor grab it at that length this is

what it looks like it's it's just a piece of software that runs on Windows and it's a it tells you everything that's going on so it looks like your process is and it tells you what files are being read and written to registry Keys being read and written to a bunch of networking things this this this is all you need so the idea is to install a piece of antivirus software you want to poke at have it detect a threat and when it says to you hey here's this threat what do you want to do permit deny you know accept ignore turn-on process monitor accept the threat so it gets entered into your whitelist and then turn off process

monitor and it will show you what exactly the antivirus software or software did in the background to modify its light list so these are some examples that I have here if you can't see them in the back I apologize the problem with doing that though is that sometimes it can generate up to 5,000 lines of entries so this is where the bulk of the work is it's actually digging through these lines searching trying to find usually that literally one line that reveals where the whitelist is located so the top one is McAfee I think it's endpoint protection 2015 and I was able to find that eight rights to a registry key that was revealed by process monitor the bottom

one is sofas cloud security and it actually writes that something called Machine XML so what I learned over a year are poking out various products is there there is there is no rhyme or reason to how whitelist are implemented everyone's doing it differently so this is just a tour what I found so semana anti logger their whitelist is stored in app data and a locally logged on user a bunch of them have them in various program data locations some of them just simply write registry keys if you look at the actual file types we've got ini files dat files XML files plain old straight-up txt files web root I thought was interesting because they actually have two white lists the the

white list that permits malicious URLs is stored in a text file in the file system whereas the white list that permits malicious files is stored in a registry key so not that I think there's anything wrong or bad with that is just a example of someone doing it differently so the next step is if you go and dig around in these files figure out the structure and what exactly they look like and this this is the same thing there there's a no rhyme or reason here it's all different this is from sophist cloud security they edit something called machine dot XML which is actually a very large configuration file so it contains the white list amongst a whole

bunch of other things but the important thing to notice is that there's actually three separate ones so the white list for on access scan on demand scan and right click scan are actually controlled independently so if someone wants to go and actually manipulate as an attack or someone's whitelist understand what software they're using and understand how their configurations are set up because if you accidentally permit your threat by modifying only right-click it's still gonna get caught by on demand and on access and then here's one of the failures um if you look at the act what's actually in the file the only thing that's in here is the name of the file from cloud exe so

I'm not going to go on record and say it was sophist I did come across the product pretty sure it was a time where the name of the file is all that's in the white list it doesn't look for anything else it doesn't look for where the file is located it doesn't look for a hash it just looks for the name of the file and if that file is found anywhere on the file system it's permitted to run so I took NJ rat renamed it something like michael dot exe permitted michael d XE + NJ rat would run on the system anywhere simply because we we had just permitted a name so this is extra interesting because if

you're an attacker and you can convince someone to give up your whitelist and their software works in this manner you don't even have to modify the whitelist all you got to do is rename your threat to something that's already in the whitelist and it'll just it'll just come on in which is pretty cool or terrible depending on your point of view this is this thing's getting a little better this is McAfee McAfee did the same thing they just looked at the name but they also went and put the location on here so in this case malware dot exe my generic test this this will only get blocked if it's found in this location anywhere also in the file system it will

continue to run pretty straightforward this was the web root text file it's literally a text file with just URLs appended to it if if you tinker with it enough and you just remove some of the if you overwrite some of the permissions on the file I was able to just manually edit this directly and have the changes here reflect in the and the software not really a huge problem but there you have it and then and then we get a little better so this is web roots and this is their their file hashing so if you permit something through web root what actually does it just has the hash one here that's it so if the hash changes the file will get

caught once again doesn't care where in the file system it is long as the hash matches but one thing that's interesting is their whitelist doesn't just control malware it also controls protected applications so if you're protected app is in here I believe the way it works is that the software will prevent any changes to it so if you can inject into this whitelist make sure to set protected app to yes and then nothing will actually be able to touch your your threat which I thought was pretty neat the last thing and this is this is where the fun begins and the demo is kind of kick in is every now and then this happens and I found

this twice now is some developers I'm going to assume thought to themselves that hey we're going to encrypt these these these and malware sorry these whitelist files and because they're encrypted they can't be tampered with so everything's a-okay and then I learned as I was playing around with them that that key that they used to encrypt and decrypt the file is actually hard-coded into the application so every single installation of these two products can read and write any any configuration file or any exclusions file from any other installation so don't do that there's actually two other issues here and this this is where it's the first and second bonus has come in is those exclusion files if you look at the

properties the permissions and the properties full control in both cases was granted to the locally logged on not administrative user so now we have a file that's been encrypted with a hard coded key that can be model eated copied overwritten by the locally logged on user and there's also no right lock on it so you can as long as the programs running you can still just rate up delete these files and you know different things happen if there's no file there it might recreate it or do something but this this actually opens the door for some pretty interesting malicious abuse so what I decided to do is I did not go through the effort of

actually trying to figure out um what the key was in the case of malwarebytes you guys I mentioned Tavis or Mandi earlier I've never met the guy but I disclosed this to them in September and about two months later he disclosed it but to them as well because he found the same thing but he actually went through the effort of figuring what is that key and he found it and he was able to then decrypt the files and figure out a lot of structural issues within the files that could potentially lead to code execution amongst a bunch of other things so what I decided to do is just create a new thread or create a

new whitelist from a completely different installation and copy it over and so all I did is I grabbed the trial version a different computer oh that's that's one of the interesting things here is the trial versions for all of the software that I've been testing also has that same key in it so whether using a trial version or full paid product doesn't matter that same key is hard-coded so you don't even have to invest in the product this literally cost you nothing financially to go and poke with you don't have to pay them fifty dollars or 60 bucks for their product get the free trial version once you have that you install it and have

the trial version detect your threat and then you take that and when the threatened when the version says hey do you want to permit this your answer is yeah sure do and then you have a wonderful new version of the whitelist which you can then move to your target machine overwrite their whitelist and the net result is the system will permit your threat so I'm gonna move the demo time here I'm gonna request that we turn the camera off that's a cue not not because what you're going to see is absolutely crazy or anything it's just I am here as a representative of the University of Alberta I'm not representing myself and I do have some

professional standards I have to adhere to according to them both of these issues they're they're not fixed this actually works on the most version build of Malwarebytes

you

I mean when I talk about this type of thing with coworkers and friends is everybody like I should say nobody I'm sure you guys all understand this under really no the type of work and failure that goes into these types of exploits right I'm standing here 20 minutes showing you to what I think are cool exploits against two products but the reality is there was a lot of failure involved in getting it to the point where I can confidently talk about it and have it work in a demo right failure after failure after failure so things that didn't work i've yet to actually see a product we're just editing the files directly immediately reflects in

the application i always have to seem to restart a process or a service so where I plan on going from here or if any of you guys want to do this ourselves it's trying to find a way to do this that makes those those changes take effect immediately without having to resort to resetting stuff that's one of the biggest thing what's next I would encourage all of you do try this at home I think it's pretty pretty cool interesting neat stuff one note though is self-protection modules do stop this every single time I've never seen a program we're turning on the self protection module allows me to then overwrite a whitelist the problem is that in many cases are actually turned

off by default some companies also lock their self protection module behind a paywall where you don't get it in the basic service you got to buy the premium version of that I think if they're really interested in actually protecting you that type of functionality should just be in the base product some companies do but not everyone does so far I that step in when I put this slide together I poked at seven different products three of which are vulnerable to my demo today virustotal has over fifty different products on their list at some point in the future or if anyone wants to help just pick one and go through it and see if this type

of issue is present if it is reported you know you might even get money out of it who knows and it's pretty simple processing tools right I don't I don't have a degree in computing science I'm a really really really terrible programmer but I just even I was able to figure this stuff out so if you're sort of new to this and you want to get involved this is a really great place to start looking guide process monitor grab some time and start there so one last slide and that's just huge thanks to three key people first off University of Alberta just we're really putting up with me and all the opportunities secondly to Totem coffee I don't think

she's in the room but Megan and I actually it's virtually back in January of this year in our professional lives and I told her over the phone one afternoon that hey you know I've been doing some work that I would love to share with people and she says well I I know this thing is it's called proving grounds call for presentations is going out and you should submit one and hope for the best Here I am so had that conversation never happened I owe her immense amount of gratitude and finally Cerrito reaches on the very back row they're looking at this phone with his pink hair Rachel was my mentor for this absolutely absolutely awesome

I can't even begin to really put into words how amazing you've been I looked at my original presentation I gave you like five months ago and I look at this one and so much of what you have said and guided me on is reflected in here so thank you and I would I would encourage you to continue to mentor here whoever whoever gets you honestly is incredibly lucky and yeah thank you very much so that's that's what I got said and I think we got like two point two minutes I think so question

good stuff Michael thank you questions

at one point you were showing hashes I think you had ink and something uh DXE did you figure out what method they were using the hash and was it just hashing the path in almost every scenario md5 hash and it is just hashing the executable it's one has been a path or anything your to demo is need and administrator and I want to know if we don't have administrator and we need to bypass the USD and I want how I want to know you how to deal with it if I knew the answer to that I would totally tell you right now I have no idea how to bypass Windows UAC at this point one

thing that I do know is that Microsoft doesn't consider you AC to be a security measure I've been reading up on some issues with that and people have disclosed to them though abilities and getting around it and they I don't think they pay bounties for it because they don't consider it to be a security bypassed how to do it not not my area of expertise unfortunately oh actually generally we we want to bypass the USC we will yo you seen till ingestion and in judgment in to explore and use extra e and get administrator so the proteins will make antivirus to detach the ingestion okay so if you can even send me an email with that that'd

be really cool I like looking enough further thanks any man great talk again did you talk it all about oh do you research cleaning up after yourself so it would be easy enough just to rewrite the file once you're done is that something yeah I've never actually considered doing that a lot of a lot of where I've kind of put thought in that area is where would something that's really be useful that's kind of where I stopped is once I once it's useful cleaning up after yourself yeah that's a good point I get some theory sure you could definitely just put the original whitelist back or put a clean one there one of the questions that I that I've

had and I show like just friends this kind of tied into that is usually they say if you can just um you can just shut down the program why even bother going further with the whitelist abuse and my answer is well it really depends on what what you're doing as an attacker right if your goal is to get in get your stuff and get out then there's no knees and to really clean up or anything by the time you have what you need you're long gone I think something like this would probably be beneficial if you're going for persistence and you want your threat to stay there as undetected as long as possible I've actually encountered that real life

where we were one of my former jobs was to manage the antivirus console for a large oil company in northern Alberta about fifty five hundred workstations and every morning I'd get a report that showed all the systems that were turned on that never actually talked home to the antivirus mothership and had to figure out why and in one case it was because antivirus got on there and disabled the product if they had just whitelisted themselves we probably never would have found it so yeah I've haven't really put much thought into cleaning up my focus let's just screw with it and talk about it that way Thanks so one more question between you and lunch anyone so would it be an

oversimplification to just make an educated guess of processes that are applications that are most likely to be whitelisted and launch a campaign based on that like notepad dot exe and yeah hope for the best yeah probably so things like notepad Explorer whatever random obscure thing might be out there unnecessary and obscure but yeah I think you could you could do that where other my thoughts have also been is how much effort do you want to put into like how much research you want to put into your target if you know they're using this particular probably program you know the white list works like this where my thoughts are mostly stopped it's also engineering find a target interesting

hey I'm so-and-so from IT can you send me a screenshot of this have a send it to you and then you have the white list the but yeah I think it would probably work just white list generic things and hope for the best you alright thank you everyone for coming I hope you enjoy the talk thank you Michael