New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

By Catalin Cimpanu
March 21, 2017 03:45 PM 8
Norton antivirus UI modified via DoubleAgent attack Norton antivirus UI modified via DoubleAgent attack
A new technique named DoubleAgent, discovered by security researchers from Cybellum, allows an attacker to hijack security products and make them take malicious actions.

The DoubleAgent attack was uncovered after Cybellum researchers found a way to exploit Microsoft's Application Verifier mechanism to load malicious code inside other applications.

DoubleAgent attack leverages Microsoft's Application Verifier
The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check.

Cybellum researchers discovered that developers could load their own "verifier DLL" instead of the one provided by the official Microsoft Application Verifier.

Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process. Even if the antivirus software protects the registry keys of their processes, Cybellum researchers claim they've created a proof-of-concept attack that bypasses these protections "by slightly modifying the registry path."

Several antivirus makers affected
Cybellum researchers say that most of today's security products are susceptible to DoubleAgent attacks. The list of affected products includes:

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Quick Heal

"We have reported [DoubleAgent to] all the vendors more than 90 days ago, and worked with [a] few of them since," Michael Engstler, Cybellum CTO, told Bleeping Computer in an email.

At the time of writing, "the only vendors that released a patch are Malwarebytes (version number: 3.0.6 Component Update 3), AVG (version number: 16.151.8007) and Trend-Micro (should release it soon)," Engstler added.

DoubleAgent morphs security products into malware
The DoubleAgent attack is extremely dangerous, as it hijacks the security product, effectively disabling it. Depending on an attacker's skill level, he could use the DoubleAgent flaw to load malicious code that:

Turns the security product off
Makes the security product blind to certain malware/attacks
Uses the security product as a proxy to launch attacks on the local computer/network
Elevates the user privilege level of all malicious code (security products typically run with the highest privileges)
Use the security product to hide malicious traffic or exfiltrate data
Damage the OS or the computer
Cause a Denial of Service
By design, the DoubleAgent attack is both a code injection technique and a persistence mechanism, as it allows an attacker to re-inject the malicious DLL inside a targeted process after each boot, thanks to the registry key.

DoubleAgent attack affects all software
Even if the Cybellum team has focused their research on antivirus software, don't think as DoubleAgent as a threat to security products alone.

The vulnerability behind DoubleAgent, and especially its ability to inject code into any process, makes it a threat to any application, even the Windows OS itself.

Engstler, who found the flaw and has been working with security vendors to patch their products, says DoubleAgent is a universal threat.

"This technique can be used to hijack ANY application, even the applications of the operating system itself," the expert told Bleeping Computer. "There is no need to alter our POC code in any way, you just execute it with the requested application name, and it would automatically attack it, no matter if it's an antivirus or a different application."

The proof-of-concept code he's referring to is available on GitHub. Two blog posts detailing the attack, in simple terms, and at a technical level, will be published tomorrow, March 22 [Sentence updated with links]. The YouTube video below shows a DoubleAgent attack in action.

Cybellum recommends that security vendors use Microsoft's Protected Processes mechanism, which the company introduced with Windows 8.1.

Protected Processes is a security system that Microsoft specifically designed for anti-malware services, and which works by wrapping around their processes and not permitting other apps to inject unsigned code.

Of all security products, only Windows Defender currently uses Protected Processes.

UPDATE [March 22, 2017, 15:05 PM ET]: In an email and a forum post, a Comodo representative said Comodo Internet Security is not vulnerable to DoubleAgent attacks, despite Cybellum's claims. Cybellum responded to Comodo's claims by creating a custom POC exploit and recording the attack on video.

UPDATE [March 22, 2017, 15:50 PM ET]: On Twitter, Windows security expert Alex Ionescu has accused Cybellum of allegedly using his research in a series of tweets [1, 2, 3, 4 ,5].