[ad_1]
Huawei MateBook systems running the company's PCManager software included a driver that allowed unprivileged users to create processes with superuser privileges. The unsecured driver was discovered by Microsoft with the help of some of the new monitoring features added to Windows version 1809 and monitored by the company's Microsoft Defender Protection against Advanced Threats (ATP) service.
First: Huawei corrected the driver and released the secure version in early January. If you are using a Huawei system and you have updated everything or completely deleted the built-in applications, you should be ready to go.
The interesting part of the story is how Microsoft discovered the wrong driver in the first place.
Microsoft Defender ATP does not rely solely on signature-based anti-malware terminal software to detect known threats; it also uses heuristic methods to detect suspicious behavior, even if no particular malware has been identified. Windows itself notes some of the actions that the software is taking and reports them to the Defender ATP cloud service. The algorithms based on machine learning look for anomalies in these reports.
Enter: the US government
Windows 10 version 1809 included tracing designed to detect DOUBLEPULSAR type back doors. DOUBLEPULSAR is one of many techniques developed by the National Security Agency and disclosed later. After its publication, it has been used in malware.
DOUBLEPULSAR allows a compromised kernel driver to execute code in user mode. This works by copying code into the memory of a privileged process that is running, and then instructing the system to execute that code by sending an APC to the process. APCs ("asynchronous procedure calls") allow you to temporarily direct a thread so that it stops running the function that is being executed. Instead, they switch to a different function. when this different function ends, the thread resumes the original function at the point where it was stopped.
APCs are used internally by the operating system for some I / O operations: instead of waiting for the system to read or write a file, Windows has a system that allows to start the read or write operation without waiting, with an APC used to indicate that reading or writing is complete.
This requires a pair of back-to-back operations that the kernel can detect: allocating memory in a running process, followed by sending by the kernel. an APC process referring to newly allocated memory. Either operation is of little interest, but the two that take place together, the APC using memory, are indicative of a DOUBLEPULSAR attack. Windows 10 version 1809 included sensors to record these kernel operations deemed to be useful for malware.
It's impossible to distinguish between legitimate software and malware
Further investigation revealed that on this particular occasion, it was not malicious software that was injecting and executing code in a user process; it was a pilot written by Huawei. Huawei's pilot was supposed to act as a kind of watchdog: he was watching a regular user-mode service that was part of the PCManager software. If this service should fail or stop working, the driver would restart it. To perform this reboot, the driver injected code into a privileged Windows process, and then ran it with the help of an APC, a technique directly derived from malicious programs.
Why Huawei chose this approach is not obvious to the extent that Windows has integrated function the ability to restart services blocked. There is no need for an external guard dog.
The Huawei driver tried to make sure that he would only communicate with Huawei's own service and not restart it, but inappropriate permissions implied that even an unprivileged process could divert the functions of Huawei. Monitor the driver and use it to start an attacker-controlled process with LocalSystem privileges. giving this process full access to the local system.
The Microsoft researchers then continued to examine the driver and discover that it had another defective feature: it could map any physical memory page in a user process, with read and write permissions. # 39; writing. With this, the user process can modify the kernel or something else and, as such, also represents a gaping defect.
Although Microsoft's public description of what it found and what it was found is part of the selling points, it shows that Defender ATP can indeed provide relevant and valuable data. This example demonstrates how Microsoft uses regular Windows 10 updates to enhance defense, as well as how cloud-based scans can provide information that would otherwise be difficult to obtain. It also highlights some of the extremely horrible things that hardware manufacturers do when they are responsible for writing software. When your hardware vendors open up big security holes and copy malware protection techniques, one wonders whether to protect both good and bad.
[ad_2]
Source link