People are afraid of getting infected with viruses, malware, spyware and other forms of online attacks. Their biggest fears of not being protected by their antivirus software is a looming threat and is much more than expected.
Security firm Cybellum researchers found a zero-day attack which they called Double Agent. This attack can take over antivirus software on Windows machines. When that happens, the antivirus becomes malware that encrypts files for ransom, exfiltrates data or formats the hard drives.
You ask how this happened? Ever since Windows XP up to the latest Windows versions, there is a way to effectively attack against all 14 antivirus products. They have been tested by security vendor Cybellum – and would also be effective against pretty much every other process running on the machines.
Although Double Agent was discovered, there has not been any confirmed sighting in the wild.
This has been reported to all major antivirus vendors and has verified the vulnerability affects them and are currently working on developing a patch to fix it up. The vendors were notified more than 90 days ago by Cybellum which is the standard length of time for responsibly disclosing vulnerabilities thus giving them time to fix them.
Two out of 14 antivirus vendors that have been notified have taken steps to deal with the problem namely AVG and Malwarebytes. The other 12 that have been notified are Avast, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, McAfee, Panda, Quick Heal and Norton.
As per Trend Micro, their product Titanium is the only product affected by the vulnerability and they are in a hurry to publish an urgent security bulletin.
Kasperky Lab is grateful that Cybellum Technologies LTD for reporting the vulnerability. This DLL hijacking attack became possible via an undocumented feature of Microsoft Application Verifier. As of March 22, 2017 this malicious scenario is now detected and blocked.
Double Agent takes advantage of a quirk of Microsoft Application Verifier, a tool that detects and fixes bugs in native applications. This is performed by something known as a “verifier provider DLL” that gets loaded into the applications at runtime.
Microsoft Application Verifier allows creating new verifier DLLs and registering them with a set of keys for it that get stored in the registry. “Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots/updates/reinstalls/patches/etc.,” Cybellum says. In other words, the DLL persists.
This issue is not going away anytime soon. This has been undocumented for a long time and needs to be fully disclosed and documented for it to be usable public knowledge.
There is no specific flaw pertaining to the antivirus themselves, rather the DLL’s could be inserted to any process to perform the attack. The only catch is that they are trusted by other applications on the computer which includes the antivirus themselves.
“Antivirus is most important attack we could do,” he says. “If you attack an organization, not just consumer, you can get full control over the organization. No other security examines the antivirus. It will bypass all the huge stack of security products you might have.”
The workaround being used by AVG and Malwarebytes involves patching the antivirus software to look for any process trying to write to the antivirus registry and then block it, he says. “Antivirus is in the kernel with a driver that can see almost everything,” he says.
Meanwhile organizations might try increasing diligence about downloads to stop Double Agent from accessing machines.
Cybellum says that three years ago Microsoft provided a new design concept that antivirus vendors could use that is called Protected Process and is meant specifically to protect antivirus software. Vendors could write their platforms so they are considered protected processes that would only allow trusted, signed code to load on them. So the code would be protected from any code-injection attack, including Double Agent.
This is a simple attack that can be done by a script newbie but can be utilized by unscrupulous developers and the attack code can be downloaded directly from a malicious website or opening a malicious attachment.