This article is more than 1 year old
Want to get around app whitelists by pretending to be Microsoft? Of course you can...
...And here's how
DerbyCon A sprinkle of code and an understanding of the Windows digital certificate process is all that's needed for a miscreant to sneak malware past Microsoft's application whitelist within a corporate environment.
In a keynote address at the DerbyCon hacking conference in Kentucky, USA, on Friday, Matt Graeber, a security researcher with SpecterOps, detailed how he managed to disguise and run a banned software nasty as a legit whitelisted app, and thus bypass Redmond's security mechanisms.
Usually anyone trying to fool Microsoft's defenses in this way, via PowerShell, will be caught by the executable signature checks within the Get-AuthenticatedSignature function. However, according to Graeber, there’s also CryptSIPVerifyIndirectData, which can be abused to green-light malicious applications with a counterfeit signature. The only thing you need are some coding tools and, oh yeah, admin privileges on the target computer, we're told.
“By fooling PowerShell signature checking I could validate myself as anyone,” Graeber said. “I am Microsoft at this point. I can be Google, I can be anyone I want to be. I can do this remotely and it's not hard to get admin privileges.”
Graeber said that he has since verified that malware using bogus signatures to masquerade as white-listed programs can be validated and run within non-PowerShell environments on Windows. He has detailed the whitelist bypass technique in this here white paper [PDF] if you want all the techie details. ®
PS: There are other ways, of course, to run rogue programs you're not supposed to on Windows.