How my application ran away and called home from Redmond
I recently found a surprising leak vector in Windows 10 installations. We were porting our Beacon Application to Windows and for easy deployment. The plan was to create just one .exe including everything. However we found out that End Point Protection (EPP) solutions didn’t like that at all and we had to go with the MSI installer option. This is a story what happened during the .exe testing.
I used my personal malware analysis lab for testing the application. My lab is an isolated network environment which has a whitelist based firewall rules. Whitelist firewall is needed to carefully allow specific updates and downloads. The lab already has Beacon Virtual Machine running and it has found issues in the past. All of them are fixed. So this leak was something new!
So what happened? What did I do? Firstly I downloaded the Beacon binary to the Windows machine in the lab and double clicked to start the Beacon. I was happy to see that everything worked smoothly and deployment was a breeze. Only hitch was the obvious security warnings related to the downloaded binary. After a couple of seconds I killed the program and reported to our guys that the test Beacon worked well. After about a minute later we received Slack alert that the Beacon has managed to find a leak from the lab environment.
We were puzzled because I had killed the Beacon process and it should not be running anymore. I logged in to my Windows test machine to see if the Beacon is still running. But there was nothing. We were confused. Then I checked the alerts more carefully.
Alerts indicate that the leaks were through TCP protocol using ports 20 and 1025. That should not be possible. I took a look at my firewall rules and there was nothing to explain the leak. After that I realized Beacon’s Home received the packet from an unknown IP address. At this point I was confused and freaking out — why someone else is running the same unique binary which was recently built just for me? Are my systems hacked?
Quick whois query gives a crucial hint which points towards Redmond.
I researched a bit more and made educated guesses about why this happened. I managed to narrow it down to Microsoft Defender and the “Automatic sample submission” feature.
Summary (TL;DR)
Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.
Sometimes you just can not foresee what kind of leak vectors your environment might have. This is why continuous tests are needed.
