New zero-day attack exploits old Windows vulnerability to take ‘full control’ of ‘major antivirus’ products
Security researchers have warned of a potentially worrying security vulnerability that could allow attackers to size control of an antivirus package running on Windows PCs.
Security specialists Cybellum are therefore calling this zero-day attack ‘DoubleAgent’, and warn that it could led to the victims’ PC performing malicious operations such as allowing the execution of malware that would otherwise be blocked, encrypting files, or even the formatting of the hard drives.
And it seems that some of the biggest names in the antivirus industry including Avast, BitDefender, Trend Micro, F-Secure, Kaspersky, Malwarebytes, McAfee, and Norton, are vulnerable to DoubleAgent.
Not Yet Patched
“Our research team has uncovered a new Zero-Day attack for taking full control over major antiviruses and next-generation antiviruses,” blogged Cybellum. “Instead of hiding and running away from the antivirus, attackers can now directly assault and hijack control over the antivirus.”
“The attack begins when the attacker injects code into the antivirus by exploiting a new Zero-Day vulnerability,” it warned. “Once inside, the attacker can fully control the antivirus. We named this attack DoubleAgent, as it turns your antivirus security agent into a malicious agent, giving an illusion that the antivirus protects you while actually it is abused in order to attack you.”
So how does it work?
Well it seems that DoubleAgent exploits a 15 year old vulnerability which works on all versions of Microsoft Windows, from Windows XP all the way to Windows 10.
“The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organisation that uses an antivirus,” warned the researchers.
“Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker,” it said. “Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organisation.”
Cybellum decided to go public with the vulnerability, but has reported the flaw to all major vendors who are currently working on a patch, some of whom have released the update.
Cybellum explained that DoubleAgent exploits a legitimate Windows tool called ‘Microsoft Application Verifier’. This is a runtime verification tool used to discover and fix bugs in applications. But it seems that the tool contains “an undocumented ability”which can give an attacker the ability to replace the standard verifier with his own custom verifier.
“An attacker can use this ability in order to inject a custom verifier into any application,” warned the researchers. “Once the custom verifier has been injected, the attacker now has full control over the application.”
Avast has responded to Silicon and explained that its latest products have already been patched and that Cybellum’s emphasis on the risks posed by DoubleAgent were “overstated.”
“We were alerted by Cybellum last year through our Bug Bounty program to a potential self-defence bypass exploit,” explained Ondrej Vlcek, CTO and General Manager of the Consumer Business at Avast. “We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable.”
“It is important to note that the exploit requires administrator privileges to conduct the attack and once that’s the case, there are numerous other ways to cause damage or modify the underlying operating system itself,” he added. “Therefore, we rate the severity of this issue as ‘low’ and Cybellum’s emphasis on the risk of this exploit to be overstated.”
This criticism is because antivirus software is often viewed as the last line of defence against the compromise of a computer. But when a computer is infected with malware, users tend not to blame the firewall or the network intrusion-detection system, but instead criticise the software that protects the endpoint.
And there have been some problems with antivirus software. For example back in 2015, Panda Security admitted that an update problem had caused part of its antivirus software to misidentify itself as malware.
That problem was reportedly so serious that an undisclosed number of business computers were left unstable and even ‘bricked‘ after users rebooted the machines.