Huawei MateBook systems that are running the company’s PCManager software included a driver that would let unprivileged users create processes with superuser privileges. The insecure driver was discovered by Microsoft using some of the new monitoring features added to Windows version 1809 that are monitored by the company’s Microsoft Defender Advanced Threat Protection (ATP) service.
First things first: Huawei fixed the driver and published the safe version in early January, so if you’re using a Huawei system and have either updated everything or removed the built-in applications entirely, you should be good to go.
The interesting part of the story is how Microsoft found the bad driver in the first place.
Microsoft Defender ATP does not rely solely on signature-based endpoint antimalware to detect known threats; it also uses heuristics that look for behavior that appears suspicious, even if no particular malware has been identified. Windows itself notices certain actions taken by software and reports them to the Defender ATP cloud service, and machine learning-based algorithms look for anomalies in these reports.
Enter: The US government
Windows 10 version 1809 included tracing designed to detect DOUBLEPULSAR-type backdoors. DOUBLEPULSAR is one of the many techniques devised by the National Security Agency and subsequently leaked. Subsequent to its publication, it has been used in malicious software.
DOUBLEPULSAR provides a way for a compromised kernel driver to run code in user mode. It works by copying some code into the memory of a privileged process that’s already running and then directing the system to execute that code by sending an APC to the process. APCs (“asynchronous procedure calls”) are a way to temporarily direct a thread to stop running the function it’s running. Instead, they switch to running a different function; when that different function finishes, the thread resumes the original function from where it left off.
APCs are used internally by the operating system for certain I/O operations: instead of having to wait for the system to read or write a file, Windows has a system whereby the read or write operation can be started without waiting, with an APC used to indicate that the read or write has finished.
This requires a pair of back-to-back operations that the kernel can detect: the allocation of some memory within a running process, followed by the kernel sending the process an APC that references that newly allocated memory. Either operation on its own is of little interest, but the two happening together, with the APC using the memory, is indicative of a DOUBLEPULSAR-style attack. Windows 10 version 1809 included sensors to record these kernel operations that are known to be useful for malware.
When legitimate software and malware are indistinguishable
Further investigation revealed that on this particular occasion, it wasn’t malware that was injecting and running code in a user process; it was a Huawei-written driver. Huawei’s driver was supposed to act as a kind of watchdog: it monitored a regular user mode service that’s part of the PCManager software, and if that service should crash or stop running, the driver would restart it. To perform that restart, the driver injected code into a privileged Windows process and then ran that code using an APC—a technique lifted straight from malware.
Why Huawei chose this approach is not immediately clear, as Windows has as a built-in feature the ability to restart crashed services. There’s no need for an external watchdog.
The Huawei driver did make some attempts to ensure that it would only communicate with and restart Huawei’s own service, but improper permissions meant that even an unprivileged process could hijack the driver’s watchdog facility and use it to start an attacker-controlled process with LocalSystem privileges, giving that process complete access to the local system.
Microsoft’s researchers then continued to look at the driver and found that it had another flawed capability: it could map any page of physical memory into a user process, with both read and write permissions. With this, the user process can modify the kernel or anything else, and as such it, too, represents a gaping flaw.
While there is, of course, an element of the sales pitch around Microsoft’s public description of what it found and how it found it—it shows that Defender ATP can indeed yield relevant and valuable data—this example does a good job of showing how Microsoft is using the regular Windows 10 updates to boost defense in-depth measures and how cloud-based analytics can provide insights that would otherwise be hard to come by. It also highlights just some of the extraordinarily awful things that hardware vendors do when they’re tasked with writing software. When your hardware vendors are opening up big security flaws and copying malware techniques, one wonders if we need protection from the good guys as well as the bad ones.