ITSEC Newsletter 2023-05-18

“This blog has helped explain the current endpoint security landscape, some of the contextual drivers for how the ecosystem evolved, and some of the current constraints imposed by the operating system that vendors must work within. Each functional layer of the endpoint security plays an important role in providing defense-in-depth. Understanding the purpose of each layer and its effectiveness against various classes of threats will help you choose appropriate products.“

“Some malware families like to ’emulate’ real software. They imitate clean .exe and .dll files by copypasteing their lists of imports, exports, internal strings, but then adding an extra import or export here and there; some go as far as to integrate their malicious code with the existing source code. So, the compiled embedded malicious code occupies like 5-10% of the actual binary, and the rest is all nice and dandy code ‘borrowed’ from some open source project. Detecting a malicious code inside such binaries is not trivial, but one thing that sometimes gives the badness away is that extra export. So, this post is about these extra exports.”

“Usually when people think of LOLBINs they tend to think of built-in OS only binaries. But If we think of a typical enterprise system we find that there are additional software bundled with the OS which include third-party software. These new additions then become “built-in” to the image and can be considered LOLBINs as well. One such software is the AntiVirus. Whether be it the built-in MS defender or a third party one. Everyone has it installed in some form. Last year I thought it’ll be fun to look into one aspect of these AV, their “uninstallers” and some of their tooling. This blog post focuses on some of these uninstallers and how I was able to abuse them as LOLBINs. By the time you’re reading this, all of these "issues" have been reported and hopefully fixed by their respective vendors.”