This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
View analytic
Wednesday, August 3 • 12:00 - 12:30
You Don't See Me - Abusing Whitelists to Hide and Run Malware

Sign up or log in to save this to your schedule and see who's attending!

This talk will outline a method for exploiting security software with a focus on unauthorized whitelisting. Many security products have the ability to permit or ignore a detected threat which ensures administrative override is available in the event a false positive is encountered. In most cases this requires user interaction by clicking a button labelled Accept/Ignore/Permit which tells the software to ignore this threat going forward. By learning how the application reads and writes these exemptions, we can uncover vulnerabilities that may lead to exploitation of these components. If an exploit can be found and written into a piece of malware, it's possible for the malware to whitelist itself without any interaction from the end user! Instead of being detected and quarantined, the malware is free to do its thing while the security software turns a blind eye.

The flow of the presentation will start with talking about why whitelisting exists and various methods used by different products to achieve this. This part can be summarized as "everyone does it differently". The next part talks about the process to discover how the application handles exemptions including the steps, tools and techniques used. The last part talks about things to look for that may indicate a whitelist component is vulnerable to abuse and where to begin exploiting.

The talk will borrow heavily from my professional work experiences as well as my personal side projects. To date, these methods have been applied to 5 different security products, 3 of which have successfully resulted in malware executing on the host after the successfully whitelisting itself. 1 product has been fixed, 1 is pending a fix and a third has yet to be reported. In the interest of responsible disclosure, I would like this talk to not include any product names and remain generic with a focus on the issue around abusing whitelists as opposed to specific proven scenarios.

avatar for Richo Healey

Richo Healey

Security Engineer, Stripe
richo likes his ducks flat and his instruction sets reduced. He breaks things at Stripe, works on Rust, and will hopefully update his bio before the con.

avatar for Michael Spaling

Michael Spaling

University of Alberta
Trekkie, Lego fan and lover of all things sci-fi. I work at a large research intensive University located in Edmonton, Canada with a focus on operational security. During my downtime I enjoy making things work in ways that were never intended.

Wednesday August 3, 2016 12:00 - 12:30
Proving Ground Florentine E