Windows Defender own

Microsoft often talks up Windows Defender as the only protection users need on Windows 10. However, despite gaining more features as it matures, malware writers are adapting to escape detection.

According to a report from BleedingComputer, bad actors have used the GootKit banking Trojan that help malware evade Windows Defender. GootKit uses a UAC bypass and WMIC commands to help executable malware remain undetected by Microsoft’s antivirus tool.

If you are unfamiliar with GootKit, it is a Trojan that infiltrates a system and tries to lift online banking details. This is achieved through video capture and by redirecting unwitting users to fake banking websites.

Malware and security researcher Vitali Kremez analyzed a GootKit sample and found the Trojan is being used in efforts to thwart Windows Defender. By leveraging GootKit, hackers are managing to hide malware from system defense scans.

Attack Method

Kremez sent code to BleedingComputer that shows how the Trojan will check for Windows Defender before issuing its command:

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /format:list

If the Trojan detects Defender is enabled the malware will a command that can infiltrate the system and avoid detection. BleedingComputer details the path the command takes:

  1. “Create the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command “DelegateExecute”=0 value, which is needed for the bypass.
  2. Create the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command value so it point to a command that whitelists the malware executables path. It does this using the command:
    WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\”‘ + excludeDir + ‘\”.
  3. Executes the command C:\Windows\System32\fodhelper.exe, which will execute the WMIC command above without showing a UAC prompt.
  4. It will then ping the loopback address 7 times to create a delay.
  5. Finally it deletes the value with the WMIC command from the Registry.”

Once this malware patch is executed, Windows Defender will not be able to scan the path and spot the attack.

It will be interesting to see what Microsoft’s reaction to this research is. The company has done a lot to make Windows Defender a robust antivirus tool that is deeply integrated with Windows. With hackers also upping their game, we guess Redmond will be quick to respond.