How My Application Ran Away and Called Home From Redmond
Mikko Kenttälä (via Paul Haddad):
We were puzzled because I had killed the Beacon process and it should not be running anymore. I logged in to my Windows test machine to see if the Beacon is still running. But there was nothing. We were confused. Then I checked the alerts more carefully.
[…]
After that I realized Beacon’s Home received the packet from an unknown IP address. At this point I was confused and freaking out — why someone else is running the same unique binary which was recently built just for me? Are my systems hacked?
[…]
I managed to narrow it down to Microsoft Defender and the “Automatic sample submission” feature. […] Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.
3 Comments RSS · Twitter
Also adding that this doesn't apply only to executables but potentially dangerous document types as well, such as .docx and PDFs. It will even happen to files like JPEGs, in order to detect a buffer overflow attack on a certain decoder, for example. This is most noticeable if you e-mail somebody at a company with APT protection and an e-mail attached document takes several minutes to arrive.
The critical lesson here is that one MUST disable this Defender feature in a software development environment. Otherwise you'll end up sending Microsoft a copy of every build you run on the computer.
Every corporation that develops software must make a point of disabling this "feature".
He blames Microsoft, but this isn't unique to Microsoft at all. This technology was originally invented by FireEye and has been around for around a decade.
This "detonation chamber" or "APT protection" is sold by major products like FireEye, ProofPoint, Cynet, Kaspersky, Cisco, etc. They insert themselves not only on the client machine, but as e-mail scanning gateways, transparent web proxies, scanning built into cloud storage, and more.