Wipers are becoming the go-to tool for nation-state cyber warfare in the last decade since the Shamoon attack. Wipers have been used by Russia, Iran, North Korea, and other APTs to support offensive acts. One of the most famous recent attacks was launched during the Russian invasion of Ukraine.
We were curious if we could build a next-gen wiper. It would run with the permissions of an unprivileged user yet have the ability to delete any file on the system, even making the Windows OS unbootable. It would do all this without implementing code that actually deletes files by itself, making it undetectable. The wiper would also make sure that the deleted files would be unrestorable.
Using the wisdom of martial arts, we understood the importance of using the power of our opponents against them in order to defeat them. Thus, we aimed to use the deletion power of EDRs to our advantage, triggering it by faking a threat.
We checked the leading EDR products and attempted to confuse them between malicious files and standard files during threat mitigation processes. We managed to discover and exploit 0-day vulnerabilities in more than 50% of them, leading to the creation of our Aikido wiper, which could be effective against hundreds of millions of endpoints all around the world.
In this talk, we'll start by explaining the background of wiper usage, and our research goals and assumptions. Then we'll explain how different EDR products work when they detect a threat, and how we exploited their insecure actions in our Aikido wiper. We'll go on to present four vulnerabilities we found in Microsoft Defender Antivirus, Microsoft Defender For Endpoint, SentinelOne's EDR, Trend Micro Apex One, Avast Antivirus and AVG Antivirus. Finally - using those vulnerabilities - we'll demonstrate the wiping of all user data, and making the operating system unbootable.