Windows Defender Vulnerabilities: How the Latest Malware Can Disable It
Trickbot and its sneaky ways of disabling Windows Defender without your knowledge. Why you can’t rely on system defenses alone.
Are you relying only on the built-in defenses in your Windows 10 operating system for security? This was never a good idea, but lately, it became even more dangerous. Windows Defender vulnerabilities were uncovered by researchers, far surpassing what users could have expected.
During the past months and even before that, the world of cybersecurity has held its breath over Trickbot updates. The banking Trojan has been around since 2016 and according to recent forensics of it, it has compromised over 265 million email accounts. While the malware is not exactly new, the trickiest part about it (pun intended) is how it manages to adapt.
The most worrisome part of its evolving trajectory is its ability to disable Windows Defender. The latest cybersecurity analysis has revealed that in ibts latest campaign, Trickbot has been targeting Windows 10 users. Especially in corporate environments (but also inside plenty of home devices), this is the operating system of choice.
How Does Trickbot Work?
Trickbot has been around since 2016 and managed to be a stressful threat ever since. Targeting both individuals and companies, it is a jack of many trades. Every time security has it pinned down and think that a permanent counter has been found, Trickbot resurfaces in an altered form.
SECURE YOUR ONLINE BROWSING!Try it FREE
30-day Free Trial
This is not about the usual change all malware strains go through to evade detection by simple Antiviruses. Generally, malware developers (hackers) change just a few lines of code to make the malware appear different.
Trickbot’s History of Adapting to Defensive Software
Not so with Trickbot. In this case, whenever Trickbot got reinvented, it also resurfaced with a changed strategy. That’s the main reason for which it wasn’t yet completely eradicated. At the moment, small businesses are the most endangered by Trickbot’s activity.
Over its 3 years of activity, Trickbot wore many disguises and targeted various entities and systems, depending on what was deemed more vulnerable at the time. When it first emerged, it seemed to borrow heavily from Dyrezza, a previous banking Trojan. It also stole data from users via malicious spam.
From its initial emergence, Trickbot proved to be impressively adaptable. It changed tactics from scam emails sending warnings about unpaid bills to account update phishing emails. It could propagate either through infected URLs and malicious email attachments.
How Trickbot Operates Now
Once it manages to infect one endpoint, Trickbot quickly spreads through the entire organization, laterally. The malware uses an SMB vulnerability to propagate. It’s then notoriously difficult to detect (it requires network admins to intuitively guess something is wrong, just by monitoring traffic and resource footprints).
Trickbot is even more notoriously difficult to remove, once detected. It requires IT admins to manually go through every infected endpoint, isolate it, and clean it.
Unfortunately, because Trickbot spreads through the SMB vulnerability, any sanitized endpoint can quickly become re-infected once it joins the network again if there is at least one other infected machine.
It also becomes more persistent by creating Scheduled Tasks, which carry out its agenda while evading user (and security software) detection. This makes the clean-up process painstaking and the infection incredibly resilient.
How Can Malware Disable Windows Defender?
Advanced malware has gained ways to avoid being detected by Windows Defender, in the past few years. This isn’t really news. What makes Trickbot exceedingly dangerous is the way it is capable to not only fly under Windows Defender’s radar but disable it altogether.
In one of the most recent Trickbot developments, the malware surprised researchers by silently disabling Windows Defender. Once the default protection was out of the way, the malware then proceeded to carry out its agenda of data stealing and email compromising.
In its most recent data scraping, it’s estimated that over 265 million email addresses were exposed and compromised. These emails will now be used in phishing and scamming campaigns, poised to break into banking accounts and make away with funds.
Here is how Trickbot exploits Windows Defender vulnerabilities:
At the time of my writing this blog post, this is how the most recently detected Trickbot version behaves, as documented by MalwareHunterTeam and Vitali Kremez.
Step #1. Add policies to SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection for the following:
- DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender.
- DisableOnAccessProtection: Disables scanning when you open a program or file.
- DisableScanOnRealtimeEnable: Disabled process scanning.
Step #2. Configures the following Windows Defender preferences via PowerShell:
- DisableRealtimeMonitoring: Disables real-time scanning.
- DisableBehaviorMonitoring: Same as above, except as a Windows Defender preference.
- DisableBlockAtFirstSeen: Disables Defender’s Cloud Protection feature.
- DisableIOAVProtection: Disables scans of downloaded files and attachments.
- DisablePrivacyMode: Disables privacy mode so all users can see threat history.
- DisableIntrusionPreventionSystem: Disables network protection for known vulnerability exploits.
- DisableScriptScanning: Disables the scanning of scripts.
- SevereThreatDefaultAction: Set the value to 6, which turns off automatic remediation for severe threats.
- LowThreatDefaultAction: Set the value to 6, which turns off automatic remediation for low threats.
- ModerateThreatDefaultAction: Set the value to 6, which turns off automatic remediation for moderate threats.
All the measures taken by Trickbot to make sure it can carry out infections undisturbed are meticulous and complex. It’s easy to see how easy it would be for most users to be unaware of anything wrong until it’s too late. After all, who manually checks the permissions in Windows Defender daily?
Other Malware Which Disables Microsoft Security Apps
Perhaps even more worrisome is that Trickbot seems to not be an isolated case. We’re not dealing with brilliant hackers, the likes of which the world has never seen. The disabling of built-in defenses is becoming a more and more common sight with the latest malware strains.
The most recent example is the DealPly adware, which turns off defensive software such as Microsoft Smartscreen, but also well-known commercial security software (McAfee’s WebAdvisor). The actual damages of DealPly are not severe yet, but even malvertising can have disastrous effects when paired with financial malware and others.
Even if the damages of the DealPly adware are not immediately visible at this moment, it’s nevertheless worrisome how it can disable security software. Apparently avoiding detection will remain a malware ambition of the past.
More Windows Defender Vulnerabilities to Know about
All Windows Defender vulnerabilities can be checked in almost real-time on a dedicated CVE portal HERE. You can also check for fixes there, but be warned that it can be a hassle to do it manually.
Windows Defender Updates Which Are Somewhat Closing Vulnerabilities
To be fair, Microsoft is trying to patch some of these vulnerabilities and succeeds to close gaps somewhat. But in the long run, especially because Microsoft is a huge target of attackers worldwide, it’s impossible to stay afloat.
How to Stay Safe Beyond the Limited Protection of Windows Defender
Within the limited scope of built-in Windows defenses, what you can do is create a separate user account. Run most of your routine activities from this plain user account and only enter the administrator account when you need to do something very important. Even then, tread carefully.
The other thing to do in order to overcome the Windows Defender vulnerabilities is to invest in extra protection layers.
You clearly can’t rely on Windows Defender for keeping your PC or laptop safe. Not having a specialized cybersecurity suite to protect your device has always been a hazard. But now, with the recent developments, it’s revealed to be even more dangerous than previously thought.
My advice is to not postpone your cybersecurity or stick to the free, default versions such as Windows Defender. No matter how improbable you might think a malware infection is, it may be closer than you think. People who lost data, money, privacy or worse to malware all thought it couldn’t happen to them.
Don’t rely on built-in, default defenses, or on a single security product, for that matter. Stay vigilant and try to have solutions which keep up with the threatscape.
How much protection is enough?
In the cat and mouse cybersecurity game, hackers quickly find ways to overcome current defensive software. Then, the defensive software strives to redefine itself to overcome the new malware developments, and so on.
All this takes place with exhilarating speeds. So, to make sure you can’t become the next victim of malware, don’t stop at one defender. Have an active next-gen Antivirus, but also a threat detection layer on top of it. Also, update your software and apply patches as soon as they’re released.
A cybersecurity suite, which contains all of the above is, of course, ideal, so I can recommend our Heimdal™ Premium Security Home. If you want to try it for free, here’s a month on the house. Just click on the ‘I want to try it free for 30 days option and follow the rest of the instructions for installing.
Regardless of the brand of products you use, just know that you’re better off using at least something in addition to just Windows Defender. Preferably, your defenses should include a smart threat detection mechanism, like a DNS filter. As long as you do that, all should be well.
Good luck with your cybersecurity and don’t forget to check from time to time if your Windows Defender is still active and up to date. Check especially if you’re not 100% confident in the rest of your security software. If you stay vigilant, you may catch threats in time, before any significant damage is done.
But it can surely only disable defender if tamper protection is turned off? If its turned on, these policies are not enforced and are ignored.
How can I re enable defender after I have cleaned the trickbot using kaspersky. Seems all services of defender are stopped and start buttons are greyed out.
awesome article and thanks for the info.