Hi people,
Just wanted to post this here as this could have the potential to really do some damage.
A new Zero-day attack has emerged that may endanger your antivirus (irony, much?). The new attack, termed DoubleAgent, has the ability to control your antivirus using a Microsoft technology called Application Verifier, and a 15-year old Windows XP era vulnerability.The hacker may use the Application Verifier, which is a runtime verification tool, in order to discover and fix bugs in applications. He can then inject his own custom verifier into any particular application, in this case, an antivirus. This undocumented ability of the application may allow the attacker to have complete control over the program , which enables him or her to wreak havoc on your system.
The cyber-security research team explains:
Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.
The POC code was tested on the following vendors:Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Comodo
ESET
F-Secure
Kaspersky
Malwarebytes
McAfee
Panda
Quick Heal
Norton
What makes DoubleAgent worse than other attacks is that in most hacks, the attacker needs to work a little harder to avoid the antivirus. An attack from something like this gives them the freedom to do as they please, without fear of interference. In essence, there would be no obstacle to stop them fromdestabilizing your system.Usage cases for DoubleAgent coud be:
Turning the Antivirus into malware
Modifying the Antivirus’ internal behavior
Abusing the Antivirus’ trusted nature
Destroying the machine
Denial of Service
Additionally, the hacker could run persistence mechanisms on your system, which allows for a permanent presence on that system, even after reboots, updates, reinstalls, patches, etc. Another possibility is the use of a Generic Code Injection Technique to insert malicious code into legitimate processes.Microsoft has provided vendors with Protected Processes to mitigate code injection attacks by only allowing trusted, signed code to load. No antivirus other than Windows Defender has implemented this design, even though it has been available for three years.
Your best bet right now would be to use Windows Defender, and at least one former Mozilla engineer recommends it.
Could Avast, and other AV products please use that protected process in a update to combat this? Makes me worried that my, and other systems could fall victim to this code.
Source - http://cybellum.com/doubleagent-taking-full-control-antivirus/