A bug in the Anti-Malware Scan Interface in Windows 10 could allow malware to go undetected in scans if the code contained a null character.
Introduced with Windows 10, the Anti-Malware Scan Interface (AMSI) is a security apparatus that acts as a go-between for applications and your anti-virus. It allows applications to check if the files they're using are safe by sending them to be checked by the anti-virus.
One of the most important roles of AMSI is to check executable files on start-up and to scan further resources that may be opened by an application after start-up. It's essentially useful given a growing trend among malicious actors to circumvent the traditional signature-based anti-virus engines by masquerading their attacks through the use of PowerShell scripts running on otherwise legitimate applications.
The bug, as discovered by researcher Satoshi Tanda, causes files sent to be scanned by the AMSI to be truncated at a null character. This would mean that an attacker could easily hide malicious code in a script by placing it after a null character. Since AMSI would never read this code, the malware would pass without any warning bells going off.
Thankfully, the bug has been fixed by the latest Patch Tuesday release by Microsoft. "In theory, no action other than applying the patch should be required. However, software vendors using AMSI to scan PowerShell contents should review whether it can handle null characters properly should they appear," says Tanda.
Source: Satoshi Tanda via BleepingComputer
6 Comments - Add comment