In April 2023, Microsoft patched a total of 97 Common Vulnerabilities and Exposures (CVEs), one of which was a security feature bypass vulnerability in Windows Defender. This vulnerability allowed an unprivileged user to hijack the antivirus tool and use it to cause harm to target systems. The issue was discovered by researchers at SafeBreach, who have previously found similar vulnerabilities in various security products.
The researchers at SafeBreach were specifically investigating whether the update process of Windows Defender could be exploited to introduce known malware into systems that the software is meant to protect. Additionally, they wanted to determine if they could manipulate Windows Defender to delete signatures of known threats and even benign files, potentially triggering a denial-of-service situation on compromised systems.
The researchers were successful in achieving all these objectives and even developed an automated tool called wd-pretender, which implemented each attack vector. Microsoft assigned the vulnerability the identifier CVE-2023-24934 and released a fix for it in April.
Tomer Bar and Omer Attias from SafeBreach presented their findings at a session during the Black Hat USA conference, titled “Defender Pretender: When Windows Defender Updates Become a Security Risk.” Prior to their presentation, the researchers explained that their research was inspired by the Flame cyber-espionage campaign that targeted organizations in Iran and other Middle Eastern countries back in 2012. The Flame campaign had utilized a man-in-the-middle attack and a forged certificate to insert the Flame malware tool into the Windows update process.
With their research, Bar and Attias aimed to replicate a similar attack without the need for a complex man-in-the-middle attack or a forged certificate. They specifically wanted to test if they could take over the Windows Defender update process as an unprivileged user.
During their study of the Windows Defender update process, the researchers discovered that signature updates are typically stored in a single executable file called the Microsoft Protection Antimalware Front End (MPAM-FE[.]exe). This MPAM file contains two executables and four Virtual Device Metadata (VDM) files that contain malware signatures in compressed form. The researchers found that two of the VDM files were large “Base” files with around 2.5 million malware signatures, while the other two were smaller-sized “Delta” files, which defined the changes to be made to the Base file.
At first, Bar and Attias attempted to hijack the update process by replacing one of the executables in the MPAM file with their own file. However, Windows Defender promptly detected that the file was not signed by Microsoft and halted the update process. Undeterred, the researchers decided to tamper with the Microsoft-signed VDM files instead.
Upon analyzing the files, they were able to identify the names and signatures of various malware threats, as well as the validation process that Windows Defender used to ensure the integrity of the files during the merge. By exploiting this process, they successfully hijacked the update process by using a modified version of a VDM file.
As a proof of concept, Bar and Attias modified the VDM files in such a way that Windows Defender failed to detect threats like Conti ransomware and Mimikatz, despite having signatures for both. They also demonstrated how they could sneak malicious files into a system by labeling them as “FriendlyFiles,” which are considered benign by Windows Defender. Additionally, they triggered a denial-of-service condition on a test machine by tricking Windows Defender into identifying all portable executable files as Emotet malware and automatically deleting them.
To emphasize the importance of their findings, the researchers highlighted a previous study by another member of SafeBreach. This study showed how an attacker with only unprivileged user permissions could manipulate certain endpoint detection and response systems to wipe any file on a system. The researchers stressed that determined attackers will always find ways to bypass even reliable security technologies.
While Microsoft used digitally signed files during the update process, the Windows Defender vulnerability enabled changes to go undetected during the validation checks. This highlights the need for further research to ensure the security of the signature update process and prevent it from being exploited as an attack vector.