Security researchers from computer and network security outfit Cybellum have revealed a new zero-day code injection and persistence technique that can be used by attackers to take over applications and entire Windows machines.
They demonstrated the attack on antivirus solutions, and ultimately dubbed it DoubleAgent, as it turns the antivirus security agent into a malicious agent.
The DoubleAgent attack
“DoubleAgent exploits a legitimate tool of Windows called ‘Microsoft Application Verifier’ which is a tool included in all versions of Microsoft Windows and is used as a runtime verification tool in order to discover and fix bugs in applications,” the company explained.
“Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application.”
“By using DoubleAgent, the attacker can take full control over the antivirus and do as he wish without the fear of being caught or blocked,” they noted. This includes:
- Turning the app into malware (while not be identified as such by other security solutions)
- Modifying its behaviour (make it stop working)
- Using it to perform actions that would otherwise be flagged as suspicious almost immediately (e.g. exfiltrate data, C&C communication, etc.)
- Damage the computer (encrypting files, formatting hard drives, etc.) or the OS, and more.
Cybellum researchers demonstrated a DoubleAgent code injection against Symantec Norton antivirus, and offered PoC exploit code on GitHub.
Is there a solution?
The researchers have notified major antivirus vendors of their findings, and some of them (Malwarebytes, AVG) have already issued a patch for the vulnerability. Trend Micro’s patch is also in the works. Among the still vulnerable antivirus apps are those by Avast, BitDefender, ESET, Kaspersky, and F-Secure.