Security researchers at Cybellum, a PC security firm in Tel Aviv, Israel, have discovered a rather nasty new zero-day attack that allows remote attackers to hijack popular antivirus programs and turn them into malicious agents. The technique is called DoubleAgent, named after the fact that a compromised antivirus agent might give the illusion that it's protecting a PC when it's actually installing malware.
"DoubleAgent exploits a 15 year old vulnerability which works on all versions of Microsoft Windows, starting from Windows XP right up to the latest release of Windows 10. The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organization that uses an antivirus," Cybellum explains. "Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker."
The zero-day attack works by exploiting a legitimate tool in Windows called Microsoft Application Verifier. This tool is included in all version of Windows and is used to root out subtle programming errors that might otherwise be difficult to identify with normal application testing. However, Cybellum's researchers discovered a more nefarious use—they found an undocumented ability of the tool that gives an attacker the ability to replace the standard verifier with a custom one.
"An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application," Cybellum says.
Cybellum demonstrated this ability by hijacking Symantec's popular Norton Security program. Here is what Norton typically looks like:
And here is a modified version:
It is not just Norton that can be hijacked. Using the latest version of Windows 10, Cybellum verified that this method also works on Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, and Quick Heal. That is an extensive list, and it's probably nowhere near complete.
This is just a proof-of-concept to illustrate that it's possible to hijack a well known antivirus product. Attackers who might use this method of malicious purposes are not likely to advertise that they've hacked a person's computers, and instead will dish out malware on the sly. To the victim, everything would appear to be in order even though his antivirus software is working against him.
Cybellum says Microsoft's new design concept for antivirus vendors called Protection Processes is immune to this sort of attack. At present, only Microsoft's own Windows Defender uses this method, even though Microsoft Protection Processes available three years ago.
If you're not running Windows Defender, be on the lookout for an update from your security vendor that specifically addresses this vulnerability.