www.amazon.com/author/paulbabicki
====================================================
by Bradley
Barth, Senior Reporter
March 24, 2017
MICROSOFT TOOL
EXPLOIT DOUBLEAGENT CAN TURN ANTIVIRUS SOFTWARE INTO YOUR WORST ENEMY
A code injection technique called
DoubleAgent can potentially allow attackers to take over antivirus software and
essentially turn it into malware, warns researchers at Cybellum.
Researchers
from Israeli zero-day security firm Cybellum have discovered a 15-year-old code
injection vulnerability and exploit technique that could allow attackers to
maliciously take over antivirus programs and other software by abusing Microsoft's
Windows Application Verifier debugging tool.
The
zero-day exploit, dubbed DoubleAgent, only works if the attacked computer
has already been previously compromised. Still, the technique can seriously
escalate the severity of a previous breach, Cybellum claims, allowing an
adversary to further elevate privileges and perform virtually any attack
imaginable. Moreover, DoubleAgent continues injecting code even after reboot,
allowing actors to establish silent persistence on a machine.
The
vulnerability exists in all versions of Microsoft's operating system from
Windows XP through the latest release of Windows 10. While AV products are not
the only software impacted by DoubleAgent, they are among the most dangerous
programs to be potentially exploited because these trusted applications are
allowed to freely perform highly sensitive actions, allowing attackers to
bypass an infected organization's security measures, Cybellum explained in a blog post and corresponding technical write-up.
Cybellum warned
that this technique could be used, ironically, to convert AV software into
malware that attacks the very users they were tasked to defend. Alternatively,
DoubleAgent actors could alter an AV's behavior to render it ineffective, or they
could use the AV to exfiltrate data, destroy or encrypt files (perhaps as a
ransomware attack), or even flag legitimate processes as security threats in
order to induce a denial-of-service scenario.
'What we can do
using DoubleAgent is turn a simple malware that would normally turn and hide
from an AV in order to protect itself into an advanced persistent threat,"
said Michael Engstler, Cybellum co-founder and CTO, in an interview with
SC Media. There is no evidence at this time, however, that the exploit has ever
been used in the wild.
Cybellum
disclosed the vulnerability to Microsoft in November 2016 and began informing
affected AV vendors shortly thereafter. The company listed the following
vendors as susceptible to the vulnerability: Avast
(including its Avast and AVG products), Avira, Bitdefender, Comodo,
ESET,
F-Secure, Kaspersky
Lab, Malwarebytes, McAfee,
Panda Security, Quick Heal Technologies, Symantec
(Norton) and Trend Micro.
The tool at the
center of this report, Microsoft Application Verifier, is a runtime
verification tool that software developers use to detect and fix bugs in their
applications. "Our researchers discovered an undocumented ability of
Application Verifier that gives an attacker the ability to replace the standard
verifier with his own custom verifier," Cybellum explains in its report.
"An attacker can use this ability in order to inject a custom verifier
into any application. Once the custom verifier has been injected, the attacker
now has full control over the application."
It might seem
like the most efficient way to fix the issue would be for Microsoft to revise
the tool or modify its functionality, possibly by eliminating the ability to
create custom verifiers. But "they don't see this as a vulnerability
within their software," said Engstler of Microsoft.
Furthermore,
Engstler said that any such action by Microsoft would likely impede
well-intentioned developers who are using the runtime verifier for legitimate
purposes. On the other hand, Engstler acknowledged that the verifier is
"barely used" compared to other Windows features, which arguably
means that the tool's risk may outweigh its value proposition for the majority
of users.
Ultimately,
said Engstler, the onus is on antivirus developers to resolve the issue,
perhaps by introducing a mechanism that monitors or places restrictions on how
the Microsoft tool is used in conjunction with their software.
Microsoft
issued the following statement through a company spokespesron: "The
technique described in the report requires an already-compromised machine and
only affects third-party applications that don't use Protected Processes."
Protected Processes is a Microsoft security model and code integrity service
first offered with Windows 8.1 that enables AV vendors launch their to
anti-malware user-mode services as a protected service by allowing only
trusted, signed code to load. It also includes built-in defense against code
injection attacks and other admin-level attacks. Cybellum noted in its post that
no AV software, other than Microsoft's very own product, uses this service.
SC Media
reached out to all of the listed AV vendors for comment, and has posted the
responses it received below. We will continue to update the story as needed.
Some vendors have already issued software updates, while others plan to and
still others say no action is necessary. In some cases, vendors disputed
certain aspects of Cybellum's findings, either claiming that they were not
affected by DoubleAgent, or insisting that the exploit is not as serious as the
report implies because it requires a previous compromise and because the
attacker must either gain local access to the machine or socially engineer the
user into elevating privileges. In one case, a vendor even claimed that the exploit
in question was not actually a zero-day because another researcher had
previously detailed the technique in 2015.
Vendor
Statements:
Avast,
statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year
through our bug bounty program to a potential self-defense bypass exploit. We
implemented the fix at the time of reporting and therefore can confirm that
both the Avast and AVG 2017 products, launched earlier this year, are not
vulnerable. It is important to note that the exploit requires
administrator privileges to conduct the attack and once that's the case, there
are numerous other ways to cause damage or modify the underlying operating
system itself. Therefore, we rate the severity of this issue as "low"
and Cybellum's emphasis on the risk of this exploit to be overstated.
Avira: "The DoubleAgent zero-day
exploit shows how Microsoft's Application Verifier can be manipulated and
theoretically used to inject malware into a compromised system. Application Verifier
is used by app developers to identify and fix bugs in their
software. Research by Avira has confirmed that the core Avira Antivirus
Pro processes, those responsible for all detection and protection tasks, cannot
be impacted by the DoubleAgent PoC. These processes are protected by a
self-protection feature within the app which is not accessible via this PoC.
There is limited ability to manipulate some lower-level processes which do not
have high privileges or rights. Our development team has already reviewed
this potential attack vector and is working on a patch to solve this
issue. The patch will be released in the next major product update."
===================================Good Netiquette And A Green Internet To All! =====================================================================Tabula Rosa Systems - Tabula Rosa Systems (TRS) is dedicated to providing Best of Breed Technology and Best of Class Professional Services to our Clients. We have a portfolio of products which we have selected for their capabilities, viability and value. TRS provides product, design, implementation and support services on all products that we represent. Additionally, TRS provides expertise in Network Analysis, eBusiness Application Profiling, ePolicy and eBusiness Troubleshooting.
We can be contacted at:
===============================================================In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
Additionally, I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology market.
No comments:
Post a Comment