New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

[Batu69]

 

Norton antivirus UI modified via DoubleAgent attack

 

 

A new technique named DoubleAgent, discovered by security researchers from Cybellum, allows an attacker to hijack security products and make them take malicious actions.

The DoubleAgent attack was uncovered after Cybellum researchers found a way to exploit Microsoft's Application Verifier mechanism to load malicious code inside other applications.

DoubleAgent attack leverages Microsoft's Application Verifier

The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check.

 

Cybellum researchers discovered that developers could load their own "verifier DLL" instead of the one provided by the official Microsoft Application Verifier.

Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process.

 

Several antivirus makers affected

Cybellum researchers say that most of today's security products are susceptible to DoubleAgent attacks. The list of affected products includes:

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Comodo
ESET
F-Secure
Kaspersky
Malwarebytes
McAfee
Panda
Quick Heal
Norton

"We have reported [DoubleAgent to] all the vendors more than 90 days ago, and worked with [a] few of them since," Michael Engstler, Cybellum CTO, told Bleeping Computer in an email.

 

At the time of writing, "the only vendors that released a patch are Malwarebytes (version number: 3.0.6 Component Update 3), AVG (version number: 16.151.8007) and Trend-Micro (should release it soon)," Engstler added.

DoubleAgent morphs security products into malware

The DoubleAgent attack is extremely dangerous, as it hijacks the security product, effectively disabling it. Depending on an attacker's skill level, he could use the DoubleAgent flaw to load malicious code that:

• Turns the security product off
• Makes the security product blind to certain malware/attacks
• Uses the security product as a proxy to launch attacks on the local computer/network
• Elevates the user privilege level of all malicious code (security products typically run with the highest privileges)
• Use the security product to hide malicious traffic or exfiltrate data
• Damage the OS or the computer
• Cause a Denial of Service

By design, the DoubleAgent attack is both a code injection technique and a persistence mechanism, as it allows an attacker to re-inject the malicious DLL inside a targeted process after each boot, thanks to the registry key.

DoubleAgent attack affects all software

Even if the Cybellum team has focused their research on antivirus software, don't think as DoubleAgent as a threat to security products alone.

The vulnerability behind DoubleAgent, and especially its ability to inject code into any process, makes it a threat to any application, even the Windows OS itself.

 

Engstler, who found the flaw and has been working with security vendors to patch their products, says DoubleAgent is a universal threat.

"This technique can be used to hijack ANY application, even the applications of the operating system itself," the expert told Bleeping Computer. "There is no need to alter our POC code in any way, you just execute it with the requested application name, and it would automatically attack it, no matter if it's an antivirus or a different application."

 

The proof-of-concept code he's referring to is available on GitHub. Two blog posts detailing the attack, in general, and at a technical level, will be published tomorrow, March 22. The YouTube video below shows a DoubleAgent attack in action.

 

Video: DoubleAgent Zero-Day Attacking Norton Antivirus

 

 

Cybellum recommends that security vendors use Microsoft's Protected Processes mechanism, which the company introduced with Windows 8.1.

Protected Processes is a security system that Microsoft specifically designed for anti-malware services, and which works by wrapping around their processes and not permitting other apps to inject unsigned code.

 

Of all security products, only Windows Defender currently uses Protected Processes.

 

Article source

[tao]

Malware can reach Windows PCs via Microsoft solution

 

Security company Cybellum discovered a new zero-day attack that makes it possible for hackers to take control of the antivirus software running on a Windows system using a vulnerability that exists in all Windows versions out there, starting with Windows XP and ending with the most recent build of Windows 10.

 

The company explains in a blog published today that most major antivirus solutions are affected by this vulnerability, Including Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton.

 

Called DoubleAgent, the exploit relies on a legitimate tool that Microsoft itself is offering in Windows and is named “Microsoft Application Verifier.” Built to help developers find bugs in their applications, this tool can be hijacked to replace the standard verifier with a custom verifier, which enables an attacker to take full control of the app.

 

The next step is to register a compromised DLL for a process belonging to security software, which in turn opens the door to more malicious activities, such as installing backdoors, add exclusions, delete files or even encrypt them in the typical ransomware attack.

 

Only two companies patched their antivirus software

 

Cybellum says it has already notified the affected security companies, but until now, only Malwarebytes and AVG released a patch.

 

“The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organization that uses an antivirus. Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker,” the firm says.

 

What’s worse is that DoubleAgent has the capabilities of injecting code even after users reboot the systems or install patches and updates, making it very difficult to remove the malware.

 

“Once a persistence technique is well-known, security products update their signatures accordingly. So once the persistence is known, it can be detected and mitigated by the security products.Being a new persistence technique, DoubleAgent bypasses AV, NGAV and other endpoint solutions, and giving an attacker ability to perform his attack undetected with no time limit,” the blog post reads.

 

A video demonstration shows how the DoubleAgent malware works in an attack against Norton Antivirus and you can watch it in full below.

 

<  Here >

 

[Batu69]

Topic merged.

[knowledge-Spammer]

 

[thunderpants]

Damm , i thought Eset were supposed to be on top of things like this