[mirimir]

Also, in the image caption ...

> Because of Windows Defender automatic sample submission, Beacon binary was uploaded to Redmond and Beacon called Home from there.

... and below ...

> They run the executable in an environment where network connectivity is available.

Why would they do that? To see what happens?

And it's not just Microsoft. Many anti-malware apps (now, probably most) upload binaries. And I'm guessing that many run them. Maybe even with network access.

SensorFu might want to repeat this test using other anti-malware apps.

[Uristqwerty]

Consider: Malware that doesn't do anything suspicious unless it can first fetch a plausible benign file from what looks like a CDN. If the goal is to properly inspect the behaviour of potentially-malicious code, what it does after successfully fetching a set of ads is as, if not more important than what it does when the connection is blocked. Perhaps a multiplayer game with a backdoor triggered by the MotD service, through intentionally-vulnerable-to-buffer-overflows string processing code.

[philpem]

For bonus points, the C&C server realises the incoming IP has Microsoft's name attached, and only sends back the adverts. For anyone else, it sends a malicious image file as part of the drop, which exploits an intentional security vulnerability in the dropper...

That's actually disturbingly sneaky.

[mirimir]

OK, that makes sense.

So how would one block this exploit? You can't test the malware properly without letting it reach its servers. So then you're also letting it upload its exfiltrated data. Which would likely be encrypted.

[philpem]

I think you'd more or less have to block *.microsoft.com at the gateway, then add explicit allows for WGA and Windows Update.

Or a group policy update to tell Defender not to upload stuff to MS.

[mirimir]

Sorry. I meant how would Microsoft (and other anti-malware) firms block it. When they're testing binaries obtained from users' machines.

For users, sure, try to lock down Windows. Or (my preference) just don't use it. Or don't give it network access, if it contains any information that you care about.