Anti-viruses can be hijacked via legit Windows tool

Reseachers at Israeli zero-day prevention firm Cybellum have identified a new attack that can hijack and take full control of security and other software through a legitimate Windows tool.

DoubleAgent in action.

Cybellum discovered what it has dubbed the 'DoubleAgent' attack after realising it could exploit the Windows mechanism that allows developers to check for errors in their application code.

The Application Verifier tool is present in all current versions of Windows. It loads a 'verifier DLL' (dynamic link library) into the application's process for runtime testing.

The DLL is then added to the Windows Registry as a provider DLL for the particular process, and injected automatically by Windows into all processes with the registered name. A user needs admin privileges to use the tool.

As the Application Verifier tool does not check that the verifier DLL is authentic, attackers can load their own malicious version into applications rather than Microsoft's official variant, Cybellum found.

Attackers can create a Windows Registry key, identify the target application, and then load their own malicious DLL to hijack the application, they reported.

The attack can be executed on all versions of Windows, and is difficult to block given the malicious code can be re-injected into the targeted process after system reboots, thanks to the persistent registry key.

The researchers said most current anti-virus products on the market are susceptible to the attack, including those from Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton.

After hijacking the anti-virus, attackers could disable the security product, make it blind to certain malware and attacks, use it as a proxy to launch attacks on the local computer or network, elevate the user privilege level of all malicious code, hide malicious traffic or exfiltrate data, or cause a denial of service, the firm said.

Cybellum said it had reported the attack to all affected vendors more than 90 days ago.

So far only Malwarebytes, AVG, and Trend Micro have released patches.

However, whilst the firm highlighted the threat to security products, it pointed out that all applications were potentially at risk given the technique can be used with any application, even those bundled with the operating system.

Cybellum has posted proof-of-concept code on GitHub, as well as a video and two blog posts detailing the attack.

The security firm said using the protected processes mechanism, which was introduced by Microsoft in Windows 8.1, would mitigate the attack.

The mechanism protects anti-malware services against attacks by not allowing other apps to inject unsigned code, but the protected processes mechanism has only so far been implemented in Windows Defender.