
Raising The White Flag
:: Bypassing Application White Listing
– Curt Shaffer and Chris Cuevas
NOTE: The video of this talk has now been made available over at the ShmooCon website.
More and more people are seeing application whitelisting in their environments. Despite what marketing people say, these solutions don’t stop APT and other advanced threats. This talk is designed to shine a light on the issues with whitelisting.
Whitelisting is often touted as a replacement for AV. Despite the fact that something better than AV is needed, application whitelisting isn’t the solution. Their purpose seems good, for the execution is lacking. Things are headed in the right direction, but using simple bypass techniques it’s possible to bypass these whitelisting protections.
The following application whitelisting tools were tested.
- Bit9 Parity 6.0.0
- McAfee Application Protection
- Microsoft Applocker
Methodology
- Windows File Protection
- File Naming Fun
- Iexpress packagng
- Java Exploits/Malware
- Flash Exploits/Malware
- Adobe Exploits/Malware
- JavaScript
- VBA
- Raw Shellcode
- Powershell
Some other things were excluded due to time constraints (including HTML5, CD-ROM ISO masquerading, Digitally Signed Malware).
Bypassing Techniques Attempted
- ActiveX
- PDF attacks
- Office documents
- Shellcodexec
- Inject shellcode into memory
- JAVA
- JavaScript
- BeEF hook
- Firefox Extension
- Powershell
- Run script by piping into powershell.exe
- DLL Injection
- Shellcode injection
- Chrome Extension
- Man-in-the-Middle
This is all know. We’ve been pissing on AV for a long time. Time to piss on whitelisting as well.
Results
McAfee
Most things worked, except Windows File Protection and Iexpress.
Bit9
Inconsistent results with Windows File Protection, and again Iexpress failed. However everything else works.
What Worked
JavaScript
Injecting BeEF into a browser process
Windows Help Files
Compiled HTML, but needs a degree of social engineering to get people to click
Can run cmd.exe and game over
Office Documents
Lots of work in this area by Didier Stevens
Powershell
Powershell code injection into any 32bit or 64 bit
Powershell syringe
Man-in-theMiddle
Get between the client and server
ARP spoof, iptables redirect
It’s HTTPS, but it doesn’t check the cert
Enables you to drop level from enforce blocks to only alert
Self protection
Abilty to inject code into the actual whitelisting exe (in this case parity.exe of Bit9)
Bit9 deny this is an issue.
[ demo of shellcode exection within the Bit9 Notifier process ]
Metasploit module for this will be released to demo this.
Stopping this attack
To protect this on Bit9, go to the admin control panel and add memory rules to protect the notifier.exe process. The memory protection menu is only available in versions above 6.0.1.

Links:
- Talk abstract –> HERE
- (NEW) Further Information from the talk –> HERE
- (NEW) Video of the talk –> HERE
Like this:
Like Loading...
Related
I am concerned about Bit9 and i need further information if available.
I would suggest contacting Bit9, or the speakers for further information… I’m afriad I don’t ahve anything beyond what was noted in the talk and written up on the blog!
I’ve added links to the Write-up by Foreground Security and the newly released video of the talk.
Apologies for those who found this quick set of notes unhelpful (wat0114)… feel free to attend the conference next time and write your own fucking notes!
Pingback: Why Malware Numbers Don’t Matter and What it Means for Security Accounting » ActiveResponse.org | ActiveResponse.org