A new Zero-day attack has emerged that may endanger your antivirus (irony, much?). The new attack, termed DoubleAgent, has the ability to control your antivirus using a Microsoft technology called Application Verifier, and a 15-year old Windows XP era vulnerability.
The hacker may use the Application Verifier, which is a runtime verification tool, in order to discover and fix bugs in applications. He can then inject his own custom verifier into any particular application, in this case, an antivirus. This undocumented ability of the application may allow the attacker to have complete control over the program , which enables him or her to wreak havoc on your system.
The cyber-security research team explains:
Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.
The POC code was tested on the following vendors:
- Avast (CVE-2017-5567)
- AVG (CVE-2017-5566)
- Avira (CVE-2017-6417)
- Bitdefender (CVE-2017-6186)
- Trend Micro (CVE-2017-5565)
- Quick Heal
What makes DoubleAgent worse than other attacks is that in most hacks, the attacker needs to work a little harder to avoid the antivirus. An attack from something like this gives them the freedom to do as they please, without fear of interference. In essence, there would be no obstacle to stop them fromdestabilizing your system.
Usage cases for DoubleAgent coud be:
- Turning the Antivirus into malware
- Modifying the Antivirus' internal behavior
- Abusing the Antivirus' trusted nature
- Destroying the machine
- Denial of Service
Additionally, the hacker could run persistence mechanisms on your system, which allows for a permanent presence on that system, even after reboots, updates, reinstalls, patches, etc. Another possibility is the use of a Generic Code Injection Technique to insert malicious code into legitimate processes.
Microsoft has provided vendors with Protected Processes to mitigate code injection attacks by only allowing trusted, signed code to load. No antivirus other than Windows Defender has implemented this design, even though it has been available for three years.
Your best bet right now would be to use Windows Defender, and at least one former Mozilla engineer recommends it.
Update: As pointed out by +goretsky in the comments, the ESET's software referenced in the discussion is an older version. Cybellum, itself admits that the antivirus software does implement "Protected Processes" but, not over all process so "they are still vulnerable". Additionally, TrendMicro has released a hotfix for the vulnerability which can be found here.
The security research team also notes that their major discovery wasn't in identifying the Microsoft tool instead, it highlighted the fact that antiviruses were unable to detect generic code injection or the generic persistence technique. Most importantly and perhaps dangerously, injecting code directly into the AV while bypassing its self-protection techniques was the most significant highlight of the finding.