Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

A Microsoft Defender update can allow an attacker to download malware to a victim PC

Go to solution Solved by leadeater,

Well like, you can download files using your browser, cmd, PowerShell etc etc so I'm not really seeing a security risk here? Not sure on the purpose of the DownloadFile switch on the program but I doubt it's used for any definition updates or the AV engine, that's already covered a different way. Wouldn't be surprised if the purpose is to be used for downloading files so that Defender scans them and rates them on the spot. Sadly the documentation doesn't currently have DownloadFile in there so we don't have the description of what Microsoft intends for that switch.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus

 

Either way this seems a little bit blown out of proportion, it's not adding any risk and multiple other programs and system tools allow you to do the exact same thing. Here's a good idea, don't download viruses, don't run random scripts, if something asks for administrative permissions that you did not expect close the dialogue (don't even click no unless you have to).

 

The reason there is no CVE, and likely never will be is because it's not a vulnerability, people doing dumb things with given tools don't get given CVE's.

Summary

A Microsoft Defender update can allow an attacker to download malware to a PC using command line

 

Quotes

Quote

Discovered by security researcher Mohammad Askar, a recent update to Microsoft Defender's command-line tool now includes a new -DownloadFile command-line argument. This directive allows a local user to use the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download a file from a remote location using the following command:


MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

 

In tests conducted by BleepingComputer.com, this feature was added to Microsoft Defender in version 4.18.2007.9 or 4.18.2009.9.

 

mpcmdrun-helpfule.jpg

 

As you can see below, BleepingComputer was able to download the resources.exe file, the WastedLocker Ransomware sample used in a recent Garmin attack.

 

microsoft-defender-lolbin.jpg

The good thing however is that as long as Windows Defender knows about the piece of malware, its going to be detected and blocked. So far, I haven't seen a blog post from Microsoft acknowledging this nor there was any CVE details posted in MITRE. While it's a good thing that even though the Defender command line can be used to download malware, it can still post a risk. By no means I am a security researcher but I can't help but think this bug can be used to execute and elevate privileges as shown in the MITRE ATT&CK framework below.

 

1820077649_MITREATTCKframework.thumb.png.2c06198187a283e193bd94e2c0ed8495.png

 

The reason Microsoft added such functionality is quite odd, it could be for pen testers or security researcher but I think this functionality should be turned off for most users who use Windows Defender as their antivirus of choice. Such attacks may not be a problem for large enterprises as those can afford an EDR sensor, internet gateway proxies and a team of security researchers but for small businesses and most consumers, it could pose a problem imo as these could also be a victim of targeted attacks too. Askar said however on Twitter that even if the command line was able to download a piece of malware, it will not execute on its own. I'm guessing that this attack requires the malefactor having the PC in their hand but as far as I know, there are ways to launch PowerShell or elevated command prompt remotely.

 

Sources

Twitter (@Mohammad Askar), Bleeping Computer

There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites

Or you can just not use windows.

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 5 3600 @ 4.1Ghz          Case: Antec P8     PSU: G.Storm GS850                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition @ 2Ghz

                                                                                                                             

Link to post
Share on other sites
25 minutes ago, like_ooh_ahh said:

government offices who use Windows since the 90s

They still use Windows 7, so this doesn't affect them much anyhow.

Tech News Posting Guidelines - READ BEFORE POSTING | Community Standards | Forum Staff

LTT Folding Users Tips, Tricks and FAQ | F@H Contribution | My Rig | Project Steamroller

 

Spoiler

 †  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.  ~ Abraham Lincoln

You have enemies? Good. That means you've stood up for something, sometime in your life.  ~ Winston Churchill

Docendo discimus - "the best way to learn is to teach" ~ Benjamin Jantz

 

I am a StarCitizen are you? My ships: Aegis Eclipse, Aegis Sabre, Aegis Gladius, Aopoa Nox, KI P52 Merlin, KI P72 Archimedes and the RSI Constellation Aquila.

 

My phones are a Samsung Note 9 and a Samsung S9+

 

🇺🇸   About Myself:   https://linustechtips.com/main/profile/229093-sansvarnic/?tab=field_core_pfield_46   🇺🇸

 

 CHRISTIAN MEMBER 

 

 

Link to post
Share on other sites

Well like, you can download files using your browser, cmd, PowerShell etc etc so I'm not really seeing a security risk here? Not sure on the purpose of the DownloadFile switch on the program but I doubt it's used for any definition updates or the AV engine, that's already covered a different way. Wouldn't be surprised if the purpose is to be used for downloading files so that Defender scans them and rates them on the spot. Sadly the documentation doesn't currently have DownloadFile in there so we don't have the description of what Microsoft intends for that switch.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus

 

Either way this seems a little bit blown out of proportion, it's not adding any risk and multiple other programs and system tools allow you to do the exact same thing. Here's a good idea, don't download viruses, don't run random scripts, if something asks for administrative permissions that you did not expect close the dialogue (don't even click no unless you have to).

 

The reason there is no CVE, and likely never will be is because it's not a vulnerability, people doing dumb things with given tools don't get given CVE's.

Link to post
Share on other sites

It's way easier to bake the functionality into it and run bare isolated VMs to scan for malware samples sent by users.

Link to post
Share on other sites
40 minutes ago, leadeater said:

Well like, you can download files using your browser, cmd, PowerShell etc etc so I'm not really seeing a security risk here? Not sure on the purpose of the DownloadFile switch on the program but I doubt it's used for any definition updates or the AV engine, that's already covered a different way. Wouldn't be surprised if the purpose is to be used for downloading files so that Defender scans them and rates them on the spot. Sadly the documentation doesn't currently have DownloadFile in there so we don't have the description of what Microsoft intends for that switch.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus

 

Either way this seems a little bit blown out of proportion, it's not adding any risk and multiple other programs and system tools allow you to do the exact same thing. Here's a good idea, don't download viruses, don't run random scripts, if something asks for administrative permissions that you did not expect close the dialogue (don't even click no unless you have to).

 

The reason there is no CVE, and likely never will be is because it's not a vulnerability, people doing dumb things with given tools don't get given CVE's.

People must be really young and we must be really old... Such commands were VERY common for use in file download managers which triggered file scanning upon file download in the download manager. You could also supply this for on-demand scanning of files in P2P software.

 

What shocks me more is that "security researcher" found it and was baffled by it. I can only assume the guy is really young and has never seen a file download manager...

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3600MHz CL16 | AORUS GTX 1080Ti | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES

Link to post
Share on other sites

Either I'm missing something big here or this has been blown totally out of proportion.  If an attacker is able to run commands on your PC like this to make your PC download something they want you do have, you're already infected/compromised, so that feels like a catch 22.  Moreover, the ability to download a file with the command line doesn't seem unusual to me... have they not heard of wget?

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
2 hours ago, leadeater said:

this seems a little bit blown out of proportion

3 minutes ago, Ryan_Vickers said:

Either I'm missing something big here or this has been blown totally out of proportion.

I would agree with this conclusion. I do not believe I could add more.

Tech News Posting Guidelines - READ BEFORE POSTING | Community Standards | Forum Staff

LTT Folding Users Tips, Tricks and FAQ | F@H Contribution | My Rig | Project Steamroller

 

Spoiler

 †  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.  ~ Abraham Lincoln

You have enemies? Good. That means you've stood up for something, sometime in your life.  ~ Winston Churchill

Docendo discimus - "the best way to learn is to teach" ~ Benjamin Jantz

 

I am a StarCitizen are you? My ships: Aegis Eclipse, Aegis Sabre, Aegis Gladius, Aopoa Nox, KI P52 Merlin, KI P72 Archimedes and the RSI Constellation Aquila.

 

My phones are a Samsung Note 9 and a Samsung S9+

 

🇺🇸   About Myself:   https://linustechtips.com/main/profile/229093-sansvarnic/?tab=field_core_pfield_46   🇺🇸

 

 CHRISTIAN MEMBER 

 

 

Link to post
Share on other sites

So a program in Windows has the ability to pull files from the internet? Add it to the list of pretty much every program you install these days.

 

How about he shows us the ability to pull and execute an exploit without triggering the system AV RTP, you know, since he's apparently a security expert.

 

1 hour ago, Ryan_Vickers said:

Either I'm missing something big here or this has been blown totally out of proportion.  If an attacker is able to run commands on your PC like this to make your PC download something they want you do have, you're already infected/compromised, so that feels like a catch 22.  Moreover, the ability to download a file with the command line doesn't seem unusual to me... have they not heard of wget?

And this as well, to even trigger the download at all someone must already have control of the target.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Windows 10 Pro X64 |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites

you can download on linux too? and Mac? using commandline? idk why this is important? 

Phone: iPhone SE 2020 | 64GB iOS
MacBook Pro: Mid-2012 | Core i5 3210M | 8GB RAM | 250GB SSD | macOS

PC: Supermicro X8DT3 | 2x Xeon X5650 | R9 290X | 32GB RAM500GB SSD | Bitfenix Whisper 850W | Windows 10

Link to post
Share on other sites
4 hours ago, Ryan_Vickers said:

Either I'm missing something big here or this has been blown totally out of proportion

Considering the only "big" tech publications that have reported on this are Bleeping Computer and Tom's Guide (plenty of smaller ones have too) I think the ones that stopped and actually thought about this figured out it's a non event. I know I'm already skeptical about this but I'm not exactly seeing much wide spread reporting on it so 🤷‍♂️

 

Feels more like "getting your name out there" than a security risk that has merit, name of the game though in the security field if you want to be more than just an employee of a security firm doing standard contract work.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×