Connect with us

Hi, what are you looking for?



Trust-Based Security Models Ineffective: Researchers

Whitelisting Not Always Effective As Legitimate Applications Successfully Abused by Attackers

LONDON – Infosecurity Europe 2015 – The trust-based foundations of whitelisting make it more difficult for organizations to properly protect their networks against cyber threats, Kaspersky Lab researchers have warned.

Whitelisting Not Always Effective As Legitimate Applications Successfully Abused by Attackers

LONDON – Infosecurity Europe 2015 – The trust-based foundations of whitelisting make it more difficult for organizations to properly protect their networks against cyber threats, Kaspersky Lab researchers have warned.

Juan Andres Guerrero-Saade and Fabio Assolini of Kaspersky Lab’s Global Research and Analysis Team (GReAT) provided numerous examples in which perfectly legitimate applications have been leveraged by malicious actors to achieve their goals.

Whitelisting Technology Not Always EffectiveBenevolent design doesn’t necessarily mean benevolent use, the experts showed during a presentation at the Infosecurity Europe conference in London this week. Trust-based security models such as whitelisting depend on the accurate characterization of the code’s intended use. Whitelisting technology is built on three pillars: verifying if the developer is trustworthy, if the application’s behavior is seemingly benevolent, and if the application is trusted by many users, an aspect the researchers call “crowdsourced trust.”

However, many malicious cyber operations discovered recently have demonstrated that a situation can’t be accurately characterized on the basis of these pillars; behavior cannot be preemptively characterized, widely-available or native tools are ripe for abuse, and a developer’s identity cannot be assured.

Guerrero-Saade and Assolini pointed out that many advanced persistent threat (APT) groups use perfectly legitimate tools in their campaigns. For example, the threat actor group known as Equation, believed to be linked to the NSA, has leveraged the functionality of Sleuth Kit, a library and collection of command line forensics tools that allow users to investigate volume and file system data.

Winnti, an APT group believed to have Chinese roots, has been even more resourceful. The attackers have used the StickyKeys accessibility feature in Windows to elevate their privileges.

The StickyKeys feature is activated when the Shift key is pressed five times in a row. Winnti managed to abuse the feature during the operating system’s logon phase to gain administrative privileges to the targeted device by replacing the legitimate StickyKeys executable (sethc.exe) with a file of their own. By replacing sethc.exe with cmd.exe, the attackers gained access to a command prompt with administrator rights.

Advertisement. Scroll to continue reading.

Another good example is the TeamSpy operation in which attackers targeted political and human rights activists, government agencies, and private companies. The threat actor used TeamViewer, the popular remote control application, to steal sensitive data. As researchers have pointed out, TeamViewer, which is a perfectly legitimate application, became a whitelisted and digitally signed RAT in the hands of the APT group.

Interpreters such as Python, PowerShell and Lua, which are used by many developers, are also often abused. Machete, the cyber espionage operation targeting Spanish-speaking countries, which according to Kaspersky is still active, abused the Python interpreter. Flame and Bunny (a.k.a. Evil Bunny) utilized Lua for modular design, respectively for multi-thread orchestrating.

PowerShell, the scripting tool included in Windows, has become highly popular among malicious actors. As Kaspersky researchers have pointed out, PowerShell can be highly efficient in the hands of attackers because it allows them to carry out their malicious routines without touching the disk.

Microsoft announced on Tuesday that it’s bringing SSH support to PowerShell. While the decision might be good for developers, experts believe it will also benefit cybercriminals.

Interpreters shipped with Apple’s OS X operating system can also be problematic. Kaspersky researchers are currently looking into issues related to the Perl interpreter installed by default in OS X.

Perfectly legitimate admin tools are also often abused. The SkeletonKey malware used PsExec, a utility designed for executing processes on remote systems, for lateral movement. MiniDuke and CosmicDuke leveraged the Windows Task Scheduler for persistence and malware operations scheduling.

Wiper malware, such as the ones used in the attacks against Sony and Saudi Aramco, have used the RawDisk library from EldoS to evade NTFS permissions.

As for profit-driven cybercriminals, they have exploited legitimate applications for point-of-sale (PoS) malware, banking Trojans, and ransomware. The examples provided by Guerrero-Saade and Assolini include the use of PsExec by PoS malware such as Carbanak and Backoff, the use of anti-rootkit tools such as UnHackMe and The Avenger by banking Trojans, and the use of the highly popular archiving application WinRAR by the CTB-Locker ransomware.

The Microsoft Background Intelligent Transfer Service (BITS), which is used by Windows Defender and Windows Update, has been abused by cybercriminals to download and install banking Trojans.

Riskware, as some of the legitimate applications abused by malicious actors are called, are sometimes flagged by security solutions providers. The problem with this approach is that security firms usually fail to come to an agreement on how their products treat these applications.

The Kaspersky Lab research aims to highlight that whitelisting by itself doesn’t work. A solution to this problem, at least an interim solution, lies in custom-tailored application control, the experts said. Kaspersky’s own products include such features, but customers often remain exposed to attacks because they choose not to use them.

“Whitelisting by itself is built on archaic criteria for trust proven obsolete by experience dealing with advanced and even intermediate threat actors. If execution in your system is not locked down by default deny application controls, your tools are also your attackers’ tools,” Guerrero-Saade told SecurityWeek in an interview.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.