[embedded content]Cybellum says DoubleAgent is a zero-day attack that hijacks antivirus software and uses it to inject malware.Image: Cybellum/Y
Cybellum says DoubleAgent is a zero-day attack that hijacks antivirus software and uses it to inject malware.
Security researchers have discovered a new attack called DoubleAgent that uses a Windows bug-fixing tool to turn antivirus into malware.
The DoubleAgent attack is detailed by Israel-based security firm Cybellum, which claims to have confirmed it can compromise products by Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton. The company says other antivirus products are also likely to be vulnerable.
The attack relies on Microsoft Application Verifier, a runtime verification tool used to discover bugs and improve the security of third-party Windows applications. The tool ships with Windows XP through to Windows 10.
“Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier,” writes Cybellum.
“An attacker can use this ability to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application. “
The issue doesn’t lie with Microsoft, but rather with antivirus vendors and could be used to attack organizations that use affected antivirus products.
The issue actually can affect all software products but Cybellum has focused on antivirus software since these products run with high privileges and are considered trusted.
Hence, if antivirus software is hijacked, it would bypass other security products used by an organization, the company warns.
In a separate write-up, Cybellum co-founder and chief technology officer Michael Engstler explains that DoubleAgent allows the attacker to inject any dynamic link library into any process. The attack will survive a reboot, as well as attempts to uninstall and reinstall the program.
So far, the only security vendors that have patched the issue are Malwarebytes, AVG, and Trend Micro, Engstler told Bleeping Computer. He also noted that all software is vulnerable to the attack, but highlighted antivirus due to its position as a key defense against malware.
Notably, the only antivirus product that is shielded from Double Agent is Windows Defender. That’s because it alone uses a Windows mechanism called Protected Processes, a protection in the kernel designed specifically to protect anti-malware services running in user mode. Microsoft introduced this feature in Windows 8.1, but clearly no security vendors have adopted the technology.
As Microsoft explains, most anti-malware products have a user-mode service, which is often used to download new virus definitions and updates.
While third-party developers can employ some techniques to protect these update services from attack, they’re not foolproof. Protected Processes ensures user-mode services only allow trusted code to load and shields them from attacks launched from admin services.