BSidesLV 2016 has ended
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
Wednesday, August 3 • 12:00 - 12:30
You Don't See Me - Abusing Whitelists to Hide and Run Malware

Sign up or log in to save this to your schedule and see who's attending!

This talk will outline a method for exploiting security software with a focus on unauthorized whitelisting. Many security products have the ability to permit or ignore a detected threat which ensures administrative override is available in the event a false positive is encountered. In most cases this requires user interaction by clicking a button labelled Accept/Ignore/Permit which tells the software to ignore this threat going forward. By learning how the application reads and writes these exemptions, we can uncover vulnerabilities that may lead to exploitation of these components. If an exploit can be found and written into a piece of malware, it's possible for the malware to whitelist itself without any interaction from the end user! Instead of being detected and quarantined, the malware is free to do its thing while the security software turns a blind eye.

The flow of the presentation will start with talking about why whitelisting exists and various methods used by different products to achieve this. This part can be summarized as "everyone does it differently". The next part talks about the process to discover how the application handles exemptions including the steps, tools and techniques used. The last part talks about things to look for that may indicate a whitelist component is vulnerable to abuse and where to begin exploiting.

The talk will borrow heavily from my professional work experiences as well as my personal side projects. To date, these methods have been applied to 5 different security products, 3 of which have successfully resulted in malware executing on the host after the successfully whitelisting itself. 1 product has been fixed, 1 is pending a fix and a third has yet to be reported. In the interest of responsible disclosure, I would like this talk to not include any product names and remain generic with a focus on the issue around abusing whitelists as opposed to specific proven scenarios.

avatar for richö butts

richö butts

Security Engineer, Stripe
richö spends most of his time flying parachutes and flinging himself off things. But he also hacks computers and hangs out with nerds.

avatar for Michael Spaling

Michael Spaling

University of Alberta
Trekkie, Lego fan and lover of all things sci-fi. I work at a large research intensive University located in Edmonton, Canada with a focus on operational security. During my downtime I enjoy making things work in ways that were never intended.

Wednesday August 3, 2016 12:00 - 12:30
Proving Ground Florentine E