You Don't See Me - Abusing Whitelists to Hide and Run Malware presented at BSidesLasVegas 2016

by Richo Healey, Michael Spaling,

Summary : This talk will outline a method for exploiting security software with a focus on unauthorized whitelisting. Many security products have the ability to permit or ignore a detected threat which ensures administrative override is available in the event a false positive is encountered. In most cases this requires user interaction by clicking a button labelled Accept/Ignore/Permit which tells the software to ignore this threat going forward. By learning how the application reads and writes these exemptions, we can uncover vulnerabilities that may lead to exploitation of these components. If an exploit can be found and written into a piece of malware, it's possible for the malware to whitelist itself without any interaction from the end user! Instead of being detected and quarantined, the malware is free to do its thing while the security software turns a blind eye.
The flow of the presentation will start with talking about why whitelisting exists and various methods used by different products to achieve this. This part can be summarized as "everyone does it differently". The next part talks about the process to discover how the application handles exemptions including the steps, tools and techniques used. The last part talks about things to look for that may indicate a whitelist component is vulnerable to abuse and where to begin exploiting.
The talk will borrow heavily from my professional work experiences as well as my personal side projects. To date, these methods have been applied to 5 different security products, 3 of which have successfully resulted in malware executing on the host after the successfully whitelisting itself. 1 product has been fixed, 1 is pending a fix and a third has yet to be reported. In the interest of responsible disclosure, I would like this talk to not include any product names and remain generic with a focus on the issue around abusing whitelists as opposed to specific proven scenarios.