Malware that Disables Windows Defender​ (Patreon)

Analyzing Malware that Disables Windows Defender​

This malware can disable Windows Defender - lets find out how! Support us on GH: https://guidedhacking.com/register/ Support us on Patreon: https://patreon.com/guidedhacking Support us on YT: https://www.youtube.com/channel/UCCMi6F5Ac3kQDfffWXQGZDw/join Windows Defender Disabling Malware Text Article: https://guidedhacking.com/threads/analyzing-malware-that-disables-windows-defender.20314/ Windows defender is the bane of most commodity malware, in this video we'll be looking at a piece of malware that attempts to elevate its privilege's and then disable windows defender. This kind of operation is incredibly useful for us to understand as it begins to touch on the fundamentals of Windows processes and how Windows Defenders privilege's function. During our malware analysis of the binary we see that it written in .NET. The malware begins by checking the permissions of the running processes by calling Windows APIs to determine the owner. It'll then check if the owner name contains "NT". The highest privilege's of process in a Windows sytem is ran by "NT-SYSTEM". This level of privilege's is necessary for the malware to attempt to disable Windows Defender. The malware checks if it's running at this level and if not will attempt to elevate itself before disabling defender. To accomplish this the malware will use a technique to duplicate the token of winlogon. WinLogon is a high privilege's process which is ran with the "NT-System" privilege's level. The malware runs OpenProcessToken to grab the token of this process and duplicates it. It then sets startup info for a new process and calls DuplicateTokenEx to duplicate the token of winlogon. Once that's done it'll get the location of our process and create a new process for it using this high privilege's Token that was taken from winlogon. Now that the binary is running with higher privilege's then the malware will continue to disable windows defender. Windows Defender runs with permissions to access files and to disable it all you need to do is remove this access. So now that we have the permissions to do this it will call open process on the Windows Defender process and then get the process token of the processes privilege level. Once that's completed it creates a structure and will populate it with the ML_UNTRUSTED SID. Once the structure has been populated then the malware will convert this structure into a pointer that can be used to apply to the process. Finally the malware will call SetTokenInformation and set the untrusted level onto the Windows Defender process which will remove its access to scan files. This is a very useful method for actors to attempt to disable Windows Defender. In conclusion, we have analyzed a piece of malware that attempts to disable Windows Defender by elevating its privilege's level. The malware is written in .NET and uses various Windows APIs to achieve its objective. By checking the process owner and duplicating the token of winlogon, the malware successfully elevates its privilege's level to "NT-SYSTEM". Once it gains access to this privilege's level, the malware disables Windows Defender by removing its access to scan files. This type of malware can be dangerous as it can cause significant harm to a system by disabling essential security features. Therefore, understanding the methods used by such malware is crucial to effectively defend against it. Follow us on Facebook : http://bit.ly/2vvHfhk Follow us on Twitter : http://bit.ly/3bC7J1i Follow us on Twitch : http://bit.ly/39ywOZ2 Follow us on Reddit : http://bit.ly/3bvOB57 Follow us on GitHub : http://bit.ly/2HoNXIS Follow us on Instagram : http://bit.ly/2SoDOlu Analyzing Malware that Disables Windows Defender​ Malware Windows Defender Antivirus Privilege escalation Token manipulation Process access Malware analysis Windows API ML_UNTRUSTED SID SetTokenInformation OpenProcessToken DuplicateTokenEx Disable antivirus Cybersecurity Threat analysis