Connect with us

Hi, what are you looking for?


Application Security

Attackers Can Hijack Security Products via Microsoft Tool

Researchers at Cybellum, an Israel-based company that specializes in zero-day prevention, have identified a new technique that can be used by attackers to take full control of security products.

Researchers at Cybellum, an Israel-based company that specializes in zero-day prevention, have identified a new technique that can be used by attackers to take full control of security products.

The attack, dubbed by the security firm “DoubleAgent,” allegedly affects the products of several vendors, including Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal and Symantec (Norton). However, the company says only a few of the impacted vendors have released patches.

The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers quickly find subtle programming errors in their applications. The tool, introduced with Windows XP, is installed by default and enabled on all versions of the operating system.

The tool works by loading a so-called “verifier provider DLL” into the targeted application’s process for runtime testing. Once it’s created, the DLL is added to the Windows Registry as a provider DLL for a specified process. Windows then automatically injects the DLL into all processes with the registered name.

According to Cybellum, this allows a piece of malware executed by a privileged user to register a malicious DLL for a process associated with an antivirus or other endpoint security product, and hijack its agent. The attack method works against any process, but Cybellum has focused on security products.

Some security products attempt to protect the registry keys associated with their processes, but researchers have found a way to easily bypass this protection.

Once the malware hijacks a security product, it can abuse it for various tasks, including to get it to perform malicious operations on the attacker’s behalf, change whitelists/blacklists and internal logic, install backdoors, exfiltrate data, spread the malware to other machines, and encrypt or delete files (i.e. ransomware).

Advertisement. Scroll to continue reading.

The security firm pointed out that the attack is difficult to block since the malicious code is injected into the process even after a reboot of the system, a software update, or reinstallation of the targeted product.

The DoubleAgent attack is said to work on all versions of Windows, including Windows 10, and any architecture. However, since the method relies on a legitimate tool, there is nothing Microsoft can do about it.

Michael Engstler, co-founder and CTO of Cybellum, told SecurityWeek that DoubleAgent is ideal in the post-breach phase of an attack. “It’s the missing part for every malware to become an advanced persistent threat (APT),” he said.

Cybellum has published a blog post containing additional technical details and proof-of-concept (PoC) code. It has also made available a video showing how the attack works against a Norton product:

Cybellum says it has informed all affected antivirus vendors, but so far only Malwarebytes and AVG released patches, and Trend Micro promised to address the issue next week. Kaspersky told SecurityWeek that it added detection and blocking for this malicious scenario to all its products on March 22. 

Comodo claims its products are not vulnerable to this type of injection. However, Cybellum has published a video to demonstrate that they are — although Engstler clarified that Comodo’s antivirus was slightly more difficult to defeat and a different, unreleased PoC has been used for the DoubleAgent attack.

Cybellum decided to make its findings public after giving vendors more than 90 days to ensure that their products are not protected against potential attacks.

“The responsible thing to do now is to publish [the research], since attackers are examining other vendors’ patches and might use this attack,” Engstler explained.

CVE identifiers have been assigned for some of the affected products, including CVE-2017-6186 (Bitdefender), CVE-2017-6417 (Avira), CVE-2017-5567 (Avast), CVE-2017-5566 (AVG) and CVE-2017-5565 (Trend Micro).

In addition to patching the vulnerability, Cybellum says such attacks can be prevented by antivirus vendors via protected processes, a concept introduced by Microsoft in Windows 8.1 for protecting anti-malware services against attacks. The Israeli company says the protection has so far only been implemented in Windows Defender.

*Updated with CVE information and attributed quotes to Michael Engstler. Also clarified that the attack method works against any process, and added Kaspersky to the list of vendors that addressed the issue

* Update March 22 – Comodo says its products are not impacted, but Cybellum has published a video to show that they are, although the attack is slightly different

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.