Bitdefender's challenge.

Options
AndyFul
edited April 2 in General Topics

Hi,

Here is a video test from the MalwaeTips forum about tampering with Bitdefender's drivers and protected services:

https://malwaretips.com/threads/bitdefenders-challenge.129753/

Comments

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod
    Options

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • camarie
    camarie Principal Software Developer BD Staff
    Options

    Done. It is not clear at this time what the payload does.

  • AndyFul
    edited April 3
    Options

    I could help, if I can get in contact with someone in charge. The attack method should not be published yet, so here is my email:

    (email address removed by admin)

    Regards

  • camarie
    camarie Principal Software Developer BD Staff
    edited April 3
    Options

    Thanks, notified the guys here.

    Anyways, since the proof of concept requires Admin rights, it's not really an exploit IMHO - one can simply uninstall the product for example.
    But as soon as I know more I will get back.

  • AndyFul
    Options

    I am not sure if this method can be called an exploit. Anyway, it can tamper with kernel drivers and protected services so one could call it an exploit of antimalware self-protection.

    I think that it can be (or already is) used in remote attacks or lateral movement against organizations. I noticed that one could use it to tamper with one or two drivers to invalidate some features like behavior shield, anti-ransomware shield, sandbox, etc. Here is an example of Avast:

    One could easily use this method in the widespread attacks via ISO or IMG disk image files, because most users ignore UAC prompts. The attack can be masqueraded as an update to be more convincing. But currently, there are several more popular methods, so I think that it is rather adjusted to be a part of targeted attacks on organizations.