{"id":5020,"date":"2018-02-20T00:49:09","date_gmt":"2018-02-19T23:49:09","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=5020"},"modified":"2020-01-08T17:55:22","modified_gmt":"2020-01-08T16:55:22","slug":"windows10-zero-character-bug-allowed-anti-malware-bypass","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/02\/20\/windows10-zero-character-bug-allowed-anti-malware-bypass\/","title":{"rendered":"Windows 10: Zero character bug allowed Anti-Malware bypass"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/win102.jpg\" width=\"58\" align=\"left\" height=\"58\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/02\/19\/windows10-null-zeichen-ermglichte-anti-malware-bypass\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Windows 10 had a bug, that allowed malware to trick Windows 10's Anti-Malware Scan Interface (AMSI) by including a null character. The character simply caused the code not to be scanned. The bug was fixed on February 2018 patchday. <\/p>\n<p><!--more--><\/p>\n<h2>What is Anti Malware Scan Interface (AMSI)?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/b447fae686304492ba2b243e956e90f4\" width=\"1\" height=\"1\">The Antimalware Scan Interface (AMSI) is a generic interface standard that allows applications and services to integrate with any anti-malware product on a machine. It provides enhanced protection against malware for users and their data, applications and workloads. <\/p>\n<p>It has been introduced in Windows 10 (I've mentioned within my German blog post <a href=\"https:\/\/www.borncity.com\/blog\/2015\/09\/05\/windows-10-welche-antivirus-lsung-soll-ich-einsetzen\/\" target=\"_blank\" rel=\"noopener noreferrer\">Welche Antivirus-L\u00f6sung soll ich einsetzen?<\/a>). Microsoft has published an article in summer 2015 within this <a href=\"https:\/\/web.archive.org\/web\/20150916092128\/http:\/\/blogs.technet.com\/b\/mmpc\/archive\/2015\/06\/09\/windows-10-to-offer-application-developers-new-malware-defenses.aspx\">Microsoft blog post<\/a>. More details may be found at MSDN within <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/dn889587%28v=vs.85%29.aspx?f=255&amp;MSPPError=-2147217396\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>. <\/p>\n<h2>Anti Malware Scan Interface bypassing bug<\/h2>\n<p>Security researcher Satoshi Tanda from Vancouver (Canada) has found a bug in the Anti-Malware Scan Interface. If a null character (00H) is inserted in a file, the part behind this character within the file is simply no longer scanned. The null character acts as an end-of-file (EOF) tag. A malware developer could then place malware behind the null character that would not be detected during the scan. <\/p>\n<p>Within <a href=\"http:\/\/standa-note.blogspot.de\/2018\/02\/amsi-bypass-with-null-character.html\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a> Tanda has posted more technical details. In brief: The library <em>System.Management.Automation.dll<\/em> didn't consider that such null characters may occur in PowerShell files. Tanda created PowerShell scripts with such null characters and passed them to the AMSI providers for scanning. As expected, the 'harmful' script components behind the null character were not detected, as they were not scanned. <\/p>\n<p><img decoding=\"async\" title=\"Detected PowerShell malware code\" alt=\"Detected PowerShell malware code\" src=\"https:\/\/4.bp.blogspot.com\/-xT0O5S5c66Q\/WoDUuZnN39I\/AAAAAAAADDw\/jJ3vKzlkHi8dD-0LX9cHTdqcz2FzULGNQCLcBGAs\/s640\/detected.png\"><br \/>(Source: <a href=\"http:\/\/standa-note.blogspot.de\/2018\/02\/amsi-bypass-with-null-character.html\" target=\"_blank\" rel=\"noopener noreferrer\">standa-note.blogspot.de<\/a>)<\/p>\n<p>Within the blog post, he has published an example in which a PowerShell statement downloads a Mimikatz exploit from the Internet. As expected, the thread protection (in the picture above this is the Windows Defender) shows an alert, the when running the PowerShell script. <\/p>\n<p><img decoding=\"async\" title=\"Mit Null-Zeichen maskiertes Script\" alt=\"Mit Null-Zeichen maskiertes Script\" src=\"https:\/\/3.bp.blogspot.com\/-qHugPAsxId0\/WoC4Nxo2DCI\/AAAAAAAADCs\/PhMPsolMdE4F2klTeAS9EMSEQHCtialKgCLcBGAs\/s640\/diff.png\">(Source: <a href=\"http:\/\/standa-note.blogspot.de\/2018\/02\/amsi-bypass-with-null-character.html\" target=\"_blank\" rel=\"noopener noreferrer\">standa-note.blogspot.de<\/a>)<\/p>\n<p>Then he inserted a null character in the PowerShell script (screenshot above, right window) and let it run again under Windows 10. <\/p>\n<p><img decoding=\"async\" title=\"Command prompt windows with malicious script\" alt=\"Command prompt windows with malicious script\" src=\"https:\/\/3.bp.blogspot.com\/-42LMhMq4U4s\/WoDYMGRvQKI\/AAAAAAAADD8\/-2F1lceyrrE84bmZu_YLC9HWXqgiCd8NgCLcBGAs\/s640\/ok.png\"><br \/>(Source: <a href=\"http:\/\/standa-note.blogspot.de\/2018\/02\/amsi-bypass-with-null-character.html\" target=\"_blank\" rel=\"noopener noreferrer\">standa-note.blogspot.de<\/a>)<\/p>\n<p>The above command prompt window shows that the PowerShell script has been executed. In the blog post Tanda describes his approach. A null character is sufficient to mask the malicious code, although it can be executed afterwards. <\/p>\n<p><p>Microsoft has fixed this bug with the February 2018 patchday, as Tanda writes. But he recommends that third parties check their anti-malware products to see if null characters are tolerated and the product scans the entire file.&nbsp; (<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/null-character-bug-lets-malware-bypass-windows-10-anti-malware-scan-interface\/\" target=\"_blank\" rel=\"noopener noreferrer\">via<\/a>)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Windows 10 had a bug, that allowed malware to trick Windows 10's Anti-Malware Scan Interface (AMSI) by including a null character. The character simply caused the code not to be scanned. The bug was fixed on February 2018 patchday.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,76],"class_list":["post-5020","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5020","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=5020"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5020\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=5020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=5020"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=5020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}