How my application ran away and called home from Redmond

Mikko Kenttälä
Oct 7, 2019 · 3 min read

I recently found a surprising leak vector in Windows 10 installations. We were porting our Beacon Application to Windows and for easy deployment. The plan was to create just one .exe including everything. However we found out that End Point Protection (EPP) solutions didn’t like that at all and we had to go with the MSI installer option. This is a story what happened during the .exe testing.

I used my personal malware analysis lab for testing the application. My lab is an isolated network environment which has a whitelist based firewall rules. Whitelist firewall is needed to carefully allow specific updates and downloads. The lab already has Beacon Virtual Machine running and it has found issues in the past. All of them are fixed. So this leak was something new!

Image for post
Image for post
Lab environment

So what happened? What did I do? Firstly I downloaded the Beacon binary to the Windows machine in the lab and double clicked to start the Beacon. I was happy to see that everything worked smoothly and deployment was a breeze. Only hitch was the obvious security warnings related to the downloaded binary. After a couple of seconds I killed the program and reported to our guys that the test Beacon worked well. After about a minute later we received Slack alert that the Beacon has managed to find a leak from the lab environment.

Image for post
Image for post

We were puzzled because I had killed the Beacon process and it should not be running anymore. I logged in to my Windows test machine to see if the Beacon is still running. But there was nothing. We were confused. Then I checked the alerts more carefully.

Image for post
Image for post

Alerts indicate that the leaks were through TCP protocol using ports 20 and 1025. That should not be possible. I took a look at my firewall rules and there was nothing to explain the leak. After that I realized Beacon’s Home received the packet from an unknown IP address. At this point I was confused and freaking out — why someone else is running the same unique binary which was recently built just for me? Are my systems hacked?

Quick whois query gives a crucial hint which points towards Redmond.

Image for post
Image for post

I researched a bit more and made educated guesses about why this happened. I managed to narrow it down to Microsoft Defender and the “Automatic sample submission” feature.

Image for post
Image for post
Microsoft Defender’s Automatic sample submission feature.

Summary (TL;DR)

Image for post
Image for post
Because of Windows Defender automatic sample submission, Beacon binary was uploaded to Redmond and Beacon called Home from there.

Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.

Sometimes you just can not foresee what kind of leak vectors your environment might have. This is why continuous tests are needed.

SensorFu

All things SensorFu. https://www.sensorfu.com/

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store