Double Agent attack can turn antivirus into malware
Security

Double Agent attack can turn antivirus into malware

A zero-day attack called Double Agent can take over antivirus software on Windows machines and turn it into malware that encrypts files for ransom, exfiltrates data or formats the hard drives.

Based on a 15-year-old feature in Windows from XP through Windows 10, the attack is effective against all 14 antivirus products tested by security vendor Cybellum – and would also be effective against pretty much every other process running on the machines.

Double Agent was discovered by Cybellum researchers and has not been seen in the wild.

“The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch,” according to a Cybellum blog. All the vendors were notified more than 90 days ago, which is the standard length of time for responsibly disclosing vulnerabilities and giving vendors time to fix them.

In this case two out of 14 antivirus vendors that have been notified have taken steps to deal with the problem – AVG and Malwarebytes, says Slava Bronfman Cybellum’s CEO. The other 12 that have been notified are Avast, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, McAfee, Panda, Quick Heal and Norton.

UPDATE: Trend Micro has issued this statement: "At this time, we have confirmed that Titanium is the only product affected by this vulnerability, and we do have a in the works to be published as an urgent security bulletin later this morning."

UPDATE: Kaspersky Lab issued this statement: "Kaspersky Lab would like to thank Cybellum Technologies LTD for discovering and reporting the vulnerability which made a DLL Hijacking attack possible via an undocumented feature of Microsoft Application Verifier. The detection and blocking of this malicious scenario has been added to all Kaspersky Lab products from March 22, 2017."

Double Agent takes advantage of a quirk of Microsoft Application Verifier, a tool that detects and fixes bugs in native applications. This is performed by something known as a “verifier provider DLL” that gets loaded into the applications at runtime.

Microsoft Application Verifier allows creating new verifier DLLs and registering them with a set of keys for it that get stored in the registry. “Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots/updates/reinstalls/patches/etc.,” Cybellum says. In other words, the DLL persists.

This vulnerability is actually an undocumented feature of Microsoft Application Verifierl, Bronfman says, so it’s unlikely to be removed anytime soon.

Bronfman says there’s no particular flaw with the antivirus platforms; the DLLs could be inserted into any process. Cybellum chose to attack them because they make an effective attack surface: they are trusted by other applications on the computers, including other security software.

“Antivirus is most important attack we could do,” he says. “If you attack an organization, not just consumer, you can get full control over the organization. No other security examines the antivirus. It will bypass all the huge stack of security products you might have.”

The workaround being used by AVG and Malwarebytes involves patching the antivirus software to look for any process trying to write to the antivirus registry and then block it, he says. “Antivirus is in the kernel with a driver that can see almost everything,” he says.

RELATED: How San Diego fights off 500,000 cyberattacks a day

Meanwhile organizations might try increasing diligence about downloads to stop Double Agent from accessing machines.

Cybellum says that three years ago Microsoft provided a new design concept that antivirus vendors could use that is called Protected Process and is meant specifically to protect antivirus software. Vendors could write their platforms so they are considered protected processes that would only allow trusted, signed code to load on them. So the code would be protected from any code-injection attack, including Double Agent.

Bronfman says executing the attack could be done by someone with the skills of a script kiddie. The attack code can be downloaded directly from a malicious Web site or opening a malicious attachment, he says.

IDG Insider

PREVIOUS ARTICLE

«Why Apple dropped iPad’s price to lowest yet

NEXT ARTICLE

Netflix debuts on Firefox for Linux, but not everyone's happy about it»

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should we donate our health data the same way we donate organs?