Security Experts:

Attackers Can Hijack Security Products via Microsoft Tool

Researchers at Cybellum, an Israel-based company that specializes in zero-day prevention, have identified a new technique that can be used by attackers to take full control of security products.

The attack, dubbed by the security firm “DoubleAgent,” allegedly affects the products of several vendors, including Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal and Symantec (Norton). However, the company says only a few of the impacted vendors have released patches.

The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers quickly find subtle programming errors in their applications. The tool, introduced with Windows XP, is installed by default and enabled on all versions of the operating system.

The tool works by loading a so-called “verifier provider DLL” into the targeted application’s process for runtime testing. Once it’s created, the DLL is added to the Windows Registry as a provider DLL for a specified process. Windows then automatically injects the DLL into all processes with the registered name.

According to Cybellum, this allows a piece of malware executed by a privileged user to register a malicious DLL for a process associated with an antivirus or other endpoint security product, and hijack its agent. The attack method works against any process, but Cybellum has focused on security products.

Some security products attempt to protect the registry keys associated with their processes, but researchers have found a way to easily bypass this protection.

Once the malware hijacks a security product, it can abuse it for various tasks, including to get it to perform malicious operations on the attacker’s behalf, change whitelists/blacklists and internal logic, install backdoors, exfiltrate data, spread the malware to other machines, and encrypt or delete files (i.e. ransomware).

The security firm pointed out that the attack is difficult to block since the malicious code is injected into the process even after a reboot of the system, a software update, or reinstallation of the targeted product.

The DoubleAgent attack is said to work on all versions of Windows, including Windows 10, and any architecture. However, since the method relies on a legitimate tool, there is nothing Microsoft can do about it.

Michael Engstler, co-founder and CTO of Cybellum, told SecurityWeek that DoubleAgent is ideal in the post-breach phase of an attack. “It's the missing part for every malware to become an advanced persistent threat (APT),” he said.

Cybellum has published a blog post containing additional technical details and proof-of-concept (PoC) code. It has also made available a video showing how the attack works against a Norton product:

Cybellum says it has informed all affected antivirus vendors, but so far only Malwarebytes and AVG released patches, and Trend Micro promised to address the issue next week. Kaspersky told SecurityWeek that it added detection and blocking for this malicious scenario to all its products on March 22. 

Comodo claims its products are not vulnerable to this type of injection. However, Cybellum has published a video to demonstrate that they are -- although Engstler clarified that Comodo's antivirus was slightly more difficult to defeat and a different, unreleased PoC has been used for the DoubleAgent attack.

Cybellum decided to make its findings public after giving vendors more than 90 days to ensure that their products are not protected against potential attacks.

“The responsible thing to do now is to publish [the research], since attackers are examining other vendors’ patches and might use this attack,” Engstler explained.

CVE identifiers have been assigned for some of the affected products, including CVE-2017-6186 (Bitdefender), CVE-2017-6417 (Avira), CVE-2017-5567 (Avast), CVE-2017-5566 (AVG) and CVE-2017-5565 (Trend Micro).

In addition to patching the vulnerability, Cybellum says such attacks can be prevented by antivirus vendors via protected processes, a concept introduced by Microsoft in Windows 8.1 for protecting anti-malware services against attacks. The Israeli company says the protection has so far only been implemented in Windows Defender.

*Updated with CVE information and attributed quotes to Michael Engstler. Also clarified that the attack method works against any process, and added Kaspersky to the list of vendors that addressed the issue

* Update March 22 - Comodo says its products are not impacted, but Cybellum has published a video to show that they are, although the attack is slightly different

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.