A new attack mechanism has been uncovered by Cybellum security researchers that can be used to hijack a PC by injecting malicious computer code via the very thing that people believe is protecting their system: the Anti-virus software. Instead of the typical malware which tries to hide itself, the new attack called DoubleAgent, targets the Anti-virus software and takes control of it.
This attack is made possible because of a 15-year old feature in Windows called Microsoft Application Verifier. Everytime an application is launched, the Microsoft Application Verifier has to verify it. The DoubleAgent attack injects a custom verifier into any application and takes place extremely early into the victim’s boot process. It affects all versions of Microsoft’s Windows operating system. The fix has to come from anti-virus vendors themselves but so far only MalwareBytes and AVG have issued a patch for their anti-virus software. Avast has issued a statement through FossBytes that their anti-virus has already been patched against DoubleAgent earlier this year.
“We were alerted by Cybellum last year through our Bug Bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack which is difficult for hackers to achieve. Therefore, in this context, we consider the likelihood of such an attack to be low and Cybellum’s emphasis on the risk of this exploit to be overstated.”
The list of affected vendors are:
- Avast
- AVG
- Avira
- Bitdefender
- Trend Micro
- Comodo
- ESET
- F-Secure
- Kaspersky
- Malwarebytes
- McAfee
- Panda
- Quick Heal
- Norton
Cybellum has published videos on their YouTube channel demonstrating the DoubleAgent attack on various popular Anti-virus programs:
