Threat Intelligence
3/22/2017
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Windows 'DoubleAgent' Attack Turns AV Tools into Malware

Zero-day attack exploits a legitimate process in Windows, according to Cybellum; AV vendors downplay threat.

[This article was updated on 3/23/17 at 2:40pmET]

Several antivirus vendors today downplayed a dramatic report warning of a zero-day exploit for compromising AV tools and turning them against the very systems they are designed to protect.

The attack, dubbed DoubleAgent, takes advantage of a legitimate Windows tool called Microsoft Application Verifier and works against AV products from numerous vendors including Symantec, Trend Micro, Kaspersky Lab, ESET, and others, security vendor Cybellum said in an alert this week.

The exploit gives attackers a way to turn an antivirus product from any of these vendors into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system, Cybellum said. Most importantly, since the malware would masquerade as an AV product, it would also give attackers a way to maintain persistence on a compromised system for as long as they wanted.

"DoubleAgent gives the attacker the ability to control the AV without being detected, while keeping the illusion that the AV is working normally," says Slava Bronfman, cofounder and CEO of Cybellum.

Bronfman says researchers from the company discovered the issue a few months ago and immediately reported it to Microsoft and the affected AV vendors.

"We have reported all the vendors more than 90 days ago, and gave them plenty of time to patch it," Bronfman says. "The responsible thing to do now is to publish it, since attackers are examining other vendor patches and might use this attack."

DoubleAgent takes advantage of an undocumented feature in Microsoft Application Verifier that has been around since at least Windows XP. Application Verifier is a Windows feature that lets developers do runtime verifications of their applications for finding and fixing security issues.

The undocumented feature that Cybellum researchers discovered gives attackers a way to replace the legitimate verifier with a rogue verifier so they can gain complete control of the application.

The technique can be used to hijack any application, not just AV tools, Bronfman says. Attackers do not even need to alter the proof-of-concept code that Cybellum released this week to attack an application. "You just execute it with the requested application name and it would automatically attack it, no matter if it's an antivirus or a different application," he says. "Every script kiddie can just compile it, include his malicious code, and use it right away."

Because the attack exploits a legitimate Windows tool, there's little Microsoft can do to patch against it, adds Bronfman. "The only thing that can be done to mitigate the problem is per-application mitigation," he says.

AV vendors would need to figure out if the Microsoft verifier tool can be used against their software and then figure out a way to block it, according to Bronfman. "DoubleAgent works against any application that doesn't specifically protect itself against DoubleAgent" he says.

But several security vendors say the threat posed by the DoubleAgent attack is less dramatic than it might first appear.

"This requires an attacker to be able to write to the Windows registry, which is something normally restricted to those with Administrator access," says Dustin Childs, director of communication for Trend Micro’s Zero Day Initiative. In order to pull off the attack, a threat actor would already need to be in control of a system, he says.

"One area where this issue could be impactful is maintaining access to a compromised system by increasing their chance of persistence," Childs says.

Jon Clay, director of global threat communications for Trend Micro, adds that the company’s Trend Micro Consumer endpoint product is vulnerable to DoubleAgent, but a patch for it is already available.

A spokeswoman from ESET confirmed that the company’s AV product for Windows is vulnerable to the DoubleAgent attack. But she add that the severity of the threat is considered very low since attackers would first need to have all necessary admin right on the victim machine. [UPDATE] ESET on Thursday announced it has a fix for the issue. [END OF UPDATE]

In an emailed statement, a Symantec spokesperson maintained that an attacker would need admin rights plus physical access to a machine—something that Bronfman refutes—in order to pull off an attack. "We confirmed that this PoC does not exploit a product vulnerability within Norton Security," the spokesperson said. "We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."

[UPDATE 3/23]: Two AV vendors Thursday said they already have a fix for the issue while a third said it working on one.

In a statement, Kaspersky Lab said that as of March 22, its AV products have been updated with capabilities for detecting and blocking the DoubleAgent attack. Like the other vendors, the company noted that an attacker would need to have previously compromised a system and escalated privileges on the device in order to register a new Application Verifier Provider. "This vulnerability allows the attacker to inject code into most OS processes, not just security solutions," the company said. "Kaspersky Lab recommends that all customers keep their security solutions up to date and do not disable behavior-based detection features.”

AV vendor Avast said it implemented a fix for its products soon after Cybellum reported the issue to the company via its Bug Bounty program. Avast said in a statement that based on its evaluation of the things an attacker would first need to do to pull off a DoubleAgent type attack, Cybellum’s own emphasis on the risk posed by the exploits is "overstated." 

F-Secure, meanwhile said in a statement, contends that the flaw is not a zero-day: "Scenarios where an attacker has already compromised a machine and elevated themselves to admin are well-known in the cyber security industry. The described method, while an interesting academic exercise, was initially presented by Alex Ionescu at several conferences during 2015. It is thus not a zero-day attack," F-Secure said. F-Secure is working on a fix for affected products and will roll it out as soon as ready, the company said. [END OF UPDATE]

Microsoft declined a request for comment on DoubleAgent.

Meanwhile, Microsoft already provides a mechanism called Protected Processes that is designed to protect AV products against code-injection attacks such as DoubleAgent.

The Protected Processes infrastructure ensures that only trusted and digitally signed can run, so any attempt to inject a rogue verifier into an AV product would not work. But Microsoft’s own Windows Defender currently is the only tool to implement Protected Processes, although it has been available to third parties for more than three years.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:42:35 AM
windows
Thanks for sharing windows double agent attack turns av tools in to malware.it is nice
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.