Windows 10 News and info | Forum
February 28, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Windows 10 Ransomware Protection Bypassed Using DLL Injection  (Read 168 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31106

I Do Windows

WWW Email
« on: October 09, 2018, 12:35:55 PM »

In Windows 10, Microsoft added a new ransomware protection feature called Controlled Folder Access that can be used to prevent modifications to files in protected folders by unknown programs.

At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

Bypassing Controlled Folder Access using DLL injection

Controlled Folder Access is a feature that allows you to protect folders and the files inside them so that they can only be modified by an application that is whitelisted. The whitelisted applications are either ones that you specify or ones that are whitelisted by default by Microsoft.

Knowing that the explorer.exe program is whitelisted in Controlled Folder Access, Soya Aoyama, a security researcher at Fujitsu System Integration Laboratories Ltd., figured out a way to inject a malicious DLL into Explorer when it is started. Since Explorer is whitelisted, when the DLL is injected it will launch and be able to bypass the ransomware protection feature.

To do this, Aoyama relied on the fact that when explorer.exe starts, it will load DLLs found under the HKEY_CLASSES_ROOT*shellexContextMenuHandlers registry key shown below.

click to enlarge

The HKEY_CLASSES_ROOT tree is a merge of registry information found in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. When performing the merge, Windows gives the data in the HKCU tree precedence.

This means that if a key exists in HKCU, it would take precedence over the same key in HKLM, and be the data merged into the HKEY_CLASSES_ROOT tree. I know this can be a bit confusing, so you can read this document for more information.

By default, when explorer starts it loads Shell.dll from the HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449}InProcServer32 key. To load the malicious DLL into explorer.exe instead, Aoyama simply created a HKCUSoftwareClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449}InProcServer32 key and set its default value to the malicious DLL.

Now when Explorer.exe is killed and restarted, the malicious DLL will be launched inside explorer.exe rather than Shell.dll.  You can see an example of the DLL injected into explorer.exe below.

click to enlarge

Unfortunately, not only did this bypass the Controlled Folder Access, but it also was not detected by Windows Defender. To be fair, according to Aoyama's tests, it was not detected by Avast, ESET, Malwarebytes Premium, and McAfee - all of which have ransomware protection.

For more details and to see Aoyama's DerbyCon talk and demonstration, you can view the video below.

MSRC responds to a vulnerability report

Aoyama has stated that before he gave this presentation he had responsibly disclosed this vulnerability to the Microsoft Security Response Center and included a proof-of-concept that could be used to bypass Controlled Folder Access.

click to enlarge

Microsoft, though, did not feel that this was a vulnerability that warranted a bounty or that requires a patch.

"If I am interpreting your findings correctly, this report predicated on the attacker having login access to the target's account already," stated Microsoft's response to Aoyama. "Followed by planting a DLL through registry modifications. Since you are only able to write to the HKCU, you will not be able to affect other users, just the target you have already compromised through other means. There also does not appear to be an escalation privilege and you already had the same access level as the target."

click to enlarge

Unfortunately, a ransomware does not need an escalation of privileges to encrypt a victim's computer. Yes, it needs it for the clearing of shadow volume copies, but a malware developer can use other exploits or methods to execute vssadmin.

What this does allow, is for malware to be installed without administrative privileges and still be able to bypass the ransomware protection of Controlled Folder Access. This does not sound like a good thing.

« Last Edit: October 09, 2018, 01:58:09 PM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page February 07, 2020, 03:19:28 AM