Security researchers at Cybellum have revealed details of a zero-day exploit that makes it possible for an attacker to take full control of antivirus software. The technique can be used to take control of just about any application, but by focusing on antivirus tools, the illusion of safety offered to victims means they are likely to be completely unaware of what is happening.
The attack works by exploiting the Microsoft Application Verifier that’s built into Windows. It is possible to replace the tool with a custom verifier which can then be used to inject malicious code into any chosen application. A number of well-known antivirus tools — including Avast, BitDefender, ESET, Kaspersky, and F-Secure — are vulnerable, while patches have been released for others.
Explaining how the exploit works, Cybellum says: “The attack begins when the attacker injects code into the antivirus by exploiting a new Zero-Day vulnerability. Once inside, the attacker can fully control the antivirus. We named this attack DoubleAgent, as it turns your antivirus security agent into a malicious agent, giving an illusion that the antivirus protects you while actually it is abused in order to attack you.”
Full details of how the exploit works can be found on the Cybellum technical blog, but it is a modern take on the idea of a Trojan in essence. Cybellum has published a video showing how Norton Antivirus can be compromised:
The DoubleAgent exploit can be used on all versions of Windows from Windows XP to Windows 10, and the use of a persistency technique means that injected code can survive a system reboot. The security firm explains:
Microsoft offers a standard way to install runtime verification tools for native code via Microsoft Application Verifier Provider DLLs. A verifier provider DLL is simply a DLL that is loaded into the process and is responsible for performing runtime verifications for the application.
In order to register a new Application Verifier Provider DLL one needs to create a verifier provider DLL and register it by creating a set of keys in the registry.
Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots/updates/reinstalls/patches/etc.
Cybellum goes on to say that it is very easy for antivirus producers to implement a method of protection against this zero-day, but it is simply not being done:
Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago.
It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s a legitimate part of the OS.
The source code for the DoubleAgent can be found on Github.