Your Antivirus Software might come with some annoyances. It might slow your computer down, or pop up so many alerts that you can’t tell when something is actually wrong. A well-intentioned debugging tool found in many versions of Microsoft Windows can be used maliciously to gain access to vulnerable antivirus programs, and weaponize them.
A zero-day attack called Double Agent can take over antivirus software on Windows machines and turn it into malware that encrypts files for ransom, exfiltrated data or formats the hard drives. Dubbed DoubleAgent, the new injecting code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10.
What's worse?
DoubleAgent exploits a 15-years-old undocumented legitimate feature in Windows from XP through Windows 10 called "Application Verifier," which cannot be patched. The attack is effective against all 14 antivirus products tested by security vendor Cybellum – and would also be effective against pretty much every other process running on the machines.
The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organization that uses an antivirus. Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.
What makes DoubleAgent worse than other attacks is that in most hacks, the attacker need not work harder to avoid the antivirus. An attack from something like this gives them the freedom to do as they please, without fear of interference. In essence, there would be no obstacle to stop them from destabilizing your system. The attack has been tested and proven on all the major antiviruses as well as of all versions of Microsoft Windows. The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch.
Application Verifier (AppVerif.exe) is a dynamic verification tool for user-mode applications. This tool monitors application actions while the application runs, subjects the application to a variety of stresses and tests, and generates a report about potential errors in application execution or design. Application Verifier can detect errors in any user-mode applications that are not based on managed code, including user-mode drivers. It finds subtle programming errors that might be difficult to detect during standard application testing or driver testing.
Mitigation:
Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago. It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s legitimate part of the OS.
Detailed information :
https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
Summary
Attackers are always evolving and finding new Zero-Day attacks. We need to make more efforts to detect and prevent these attacks, and stop blindly trusting traditional security solutions. Also as shown here it's not only ineffective against Zero-Days but also open new opportunities for the attacker to create complicated and deadly attacks.
No comments:
Post a Comment