A new Zero-Day attack that is capable of taking full control over antivirus software has been disclosed by Cybellum, an Israel-based security firm. Dubbed “DoubleAgent”, it is a zero-day attack that first hijacks the antivirus software and then uses the same software to inject malware into the computer/system. The antivirus now becomes malware.
The DoubleAgent zero-day attack exploits Microsoft’s Application Verifier tool, which is used by app developers to detect bugs and develop fixes. During testing with the tool, a DLL (dynamic link library) file (standard verifier) provided by Microsoft must be loaded into the applications. Exploiting the vulnerability, attackers can exploit and inject their own malicious DLL as a custom verifier, and the antivirus software will get hijacked.
The hijacked and corrupted antivirus app can be now be used to take over the computers running on any Windows operating system – even the latest Windows 10 OS. In testing, Cybellum was able to make the antivirus app function as a disk-encrypting ransomware.
Cybellum reports that it had notified prominent antivirus companies about the vulnerability. Considering the type of vulnerability it would seem that most, if not all, antivirus solutions would be susceptible to this exploit. Some antivirus providers have issued software patches to fix the bug.
Regarding the functionality of the Application Verifier Microsoft explains, “Application Verifier is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities”.
The antivirus program is always considered as a trusted entity by the computer, and hence any operation it does would be considered as legitimate. An attacker would be able to use the antivirus program to perform malicious operations. It is not only antivirus programs, but the exploit could be used to take over other targets through persistent malware attacks.
Comodo, the global leader in cyber security solutions responded to Cybellum’s listing of vulnerable antivirus solutions and stated that Comodo’s Internet Security (CIS) was not vulnerable due to the unique manner in which its layered defense worked.
“Most of the disagreement comes from not understanding how CIS layered defense works and assuming CIS is like the classical antivirus products mentioned in the original article. Never mind protecting itself against such attacks, CIS protects EVERY other application against such attacks too”, Egemen Tas, Comodo’s SVP of Worldwide Engineering stated in an e-mail.
The Fix
Cybellum reports that the easiest fix for the bug would be to move to the new “Protected Processes” architecture offered by Microsoft. This new concept is for antivirus services where all antivirus processes would be created as “Protected Processes”. This infrastructure would allow only trusted, signed code to load, and would block code injection attacks. As unsigned code cannot be used against the antivirus protection, attackers cannot use any Zero-Day techniques to inject malicious code.
