Windows ‘DoubleAgent’ Attack Turns AV Tools into Malware
Several antivirus vendors today downplayed a dramatic report warning of a zero-day exploit for compromising AV tools and turning them against the very systems they are designed to protect.
The attack, dubbed DoubleAgent, takes advantage of a legitimate Windows tool called Microsoft Application Verifier and works against AV products from numerous vendors including Symantec, Trend Micro, Kaspersky Lab, ESET, and others, security vendor Cybellum said in an alert this week.
The exploit gives attackers a way to turn an antivirus product from any of these vendors into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system, Cybellum said. Most importantly, since the malware would masquerade as an AV product, it would also give attackers a way to maintain persistence on a compromised system for as long as they wanted.
“DoubleAgent gives the attacker the ability to control the AV without being detected, while keeping the illusion that the AV is working normally,” says Slava Bronfman, cofounder and CEO of Cybellum.
Bronfman says researchers from the company discovered the issue a few months ago and immediately reported it to Microsoft and the affected AV vendors.
“We have reported all the vendors more than 90 days ago, and gave them plenty of time to patch it,” Bronfman says. “The responsible thing to do now is to publish it, since attackers are examining other vendor patches and might use this attack.”
DoubleAgent takes advantage of an undocumented feature in Microsoft Application Verifier that has been around since at least Windows XP. Application Verifier is a Windows feature that lets developers do runtime verifications of their applications for finding and fixing security issues.
The undocumented feature that Cybellum researchers discovered gives attackers a way to replace the legitimate verifier with a rogue verifier so they can gain complete control of the application.
The technique can be used to hijack any application, not just AV tools, Bronfman says. Attackers do not even need to alter the proof-of-concept code that Cybellum released this week to attack an application. “You just execute it with the requested application name and it would automatically attack it, no matter if it’s an antivirus or a different application,” he says. “Every script kiddie can just compile it, include his malicious code, and use it right away.”
Because the attack exploits a legitimate Windows tool, there’s little Microsoft can do to patch against it, adds Bronfman. “The only thing that can be done to mitigate the problem is per-application mitigation,” he says.
AV vendors would need to figure out if the Microsoft verifier tool can be used against their software and then figure out a way to block it, according to Bronfman. “DoubleAgent works against any application that doesn’t specifically protect itself against DoubleAgent” he says.
But several security vendors say the threat posed by the DoubleAgent attack is less dramatic than it might first appear.
“This requires an attacker to be able to write to the Windows registry, which is something normally restricted to those with Administrator access,” says Dustin Childs, director of communication for Trend Micro’s Zero Day Initiative. In order to pull off the attack, a threat actor would already need to be in control of a system, he says.
“One area where this issue could be impactful is maintaining access to a compromised system by increasing their chance of persistence,” Childs says.
Jon Clay, director of global threat communications for Trend Micro, adds that the company’s Trend Micro Consumer endpoint product is vulnerable to DoubleAgent, but a patch for it is already available.
A spokeswoman from ESET confirmed that the company’s AV product for Windows is vulnerable to the DoubleAgent attack. But she add that the severity of the threat is considered very low since attackers would first need to have all necessary admin right on the victim machine. ESET researchers are currently working on a fix for the issue and will release a customer advisory when it becomes available, she says.
In an emailed statement, a Symantec spokesperson maintained that an attacker would need admin rights plus physical access to a machine—something that Bronfman refutes—in order to pull off an attack. “We confirmed that this PoC does not exploit a product vulnerability within Norton Security,” the spokesperson said. “We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted.”
Microsoft declined a request for comment on DoubleAgent.
Meanwhile, Microsoft already provides a mechanism called Protected Processes that is designed to protect AV products against code-injection attacks such as DoubleAgent.
The Protected Processes infrastructure ensures that only trusted and digitally signed can run, so any attempt to inject a rogue verifier into an AV product would not work. But Microsoft’s own Windows Defender currently is the only tool to implement Protected Processes, although it has been available to third parties for more than three years.
Related stories:
- Multiple Major Security Products Open To Big Vulns Via ‘Hooking Engines’
- FireEye, Kaspersky Lab Scramble To Fix Bugs In Security Tools
- Known Security Flaw Found In More Antivirus Products
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
Article source: http://www.darkreading.com/threat-intelligence/windows-doubleagent-attack-turns-av-tools-into-malware-/d/d-id/1328462?_mc=RSS_DR_EDT