by Bradley Barth, Senior Reporter
March 24, 2017
MICROSOFT TOOL EXPLOIT DOUBLEAGENT CAN TURN ANTIVIRUS SOFTWARE INTO YOUR WORST ENEMY
A code injection technique called DoubleAgent can potentially allow attackers to take over antivirus software and essentially turn it into malware, warns researchers at Cybellum.
Researchers from Israeli zero-day security firm Cybellum have discovered a 15-year-old code injection vulnerability and exploit technique that could allow attackers to maliciously take over antivirus programs and other software by abusing Microsoft's Windows Application Verifier debugging tool.
The zero-day exploit, dubbed DoubleAgent, only works if the attacked computer has already been previously compromised. Still, the technique can seriously escalate the severity of a previous breach, Cybellum claims, allowing an adversary to further elevate privileges and perform virtually any attack imaginable. Moreover, DoubleAgent continues injecting code even after reboot, allowing actors to establish silent persistence on a machine.
The vulnerability exists in all versions of Microsoft's operating system from Windows XP through the latest release of Windows 10. While AV products are not the only software impacted by DoubleAgent, they are among the most dangerous programs to be potentially exploited because these trusted applications are allowed to freely perform highly sensitive actions, allowing attackers to bypass an infected organization's security measures, Cybellum explained in a blog post and corresponding technical write-up.
Cybellum warned that this technique could be used, ironically, to convert AV software into malware that attacks the very users they were tasked to defend. Alternatively, DoubleAgent actors could alter an AV's behavior to render it ineffective, or they could use the AV to exfiltrate data, destroy or encrypt files (perhaps as a ransomware attack), or even flag legitimate processes as security threats in order to induce a denial-of-service scenario.
'What we can do using DoubleAgent is turn a simple malware that would normally turn and hide from an AV in order to protect itself into an advanced persistent threat," said Michael Engstler, Cybellum co-founder and CTO, in an interview with SC Media. There is no evidence at this time, however, that the exploit has ever been used in the wild.
Cybellum disclosed the vulnerability to Microsoft in November 2016 and began informing affected AV vendors shortly thereafter. The company listed the following vendors as susceptible to the vulnerability: Avast (including its Avast and AVG products), Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky Lab, Malwarebytes, McAfee, Panda Security, Quick Heal Technologies, Symantec (Norton) and Trend Micro.
The tool at the center of this report, Microsoft Application Verifier, is a runtime verification tool that software developers use to detect and fix bugs in their applications. "Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier," Cybellum explains in its report. "An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application."
It might seem like the most efficient way to fix the issue would be for Microsoft to revise the tool or modify its functionality, possibly by eliminating the ability to create custom verifiers. But "they don't see this as a vulnerability within their software," said Engstler of Microsoft.
Furthermore, Engstler said that any such action by Microsoft would likely impede well-intentioned developers who are using the runtime verifier for legitimate purposes. On the other hand, Engstler acknowledged that the verifier is "barely used" compared to other Windows features, which arguably means that the tool's risk may outweigh its value proposition for the majority of users.
Ultimately, said Engstler, the onus is on antivirus developers to resolve the issue, perhaps by introducing a mechanism that monitors or places restrictions on how the Microsoft tool is used in conjunction with their software.
Microsoft issued the following statement through a company spokespesron: "The technique described in the report requires an already-compromised machine and only affects third-party applications that don't use Protected Processes." Protected Processes is a Microsoft security model and code integrity service first offered with Windows 8.1 that enables AV vendors launch their to anti-malware user-mode services as a protected service by allowing only trusted, signed code to load. It also includes built-in defense against code injection attacks and other admin-level attacks. Cybellum noted in its post that no AV software, other than Microsoft's very own product, uses this service.
SC Media reached out to all of the listed AV vendors for comment, and has posted the responses it received below. We will continue to update the story as needed. Some vendors have already issued software updates, while others plan to and still others say no action is necessary. In some cases, vendors disputed certain aspects of Cybellum's findings, either claiming that they were not affected by DoubleAgent, or insisting that the exploit is not as serious as the report implies because it requires a previous compromise and because the attacker must either gain local access to the machine or socially engineer the user into elevating privileges. In one case, a vendor even claimed that the exploit in question was not actually a zero-day because another researcher had previously detailed the technique in 2015.
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.
Avira: "The DoubleAgent zero-day exploit shows how Microsoft's Application Verifier can be manipulated and theoretically used to inject malware into a compromised system. Application Verifier is used by app developers to identify and fix bugs in their software. Research by Avira has confirmed that the core Avira Antivirus Pro processes, those responsible for all detection and protection tasks, cannot be impacted by the DoubleAgent PoC. These processes are protected by a self-protection feature within the app which is not accessible via this PoC. There is limited ability to manipulate some lower-level processes which do not have high privileges or rights. Our development team has already reviewed this potential attack vector and is working on a patch to solve this issue. The patch will be released in the next major product update."===================================
Good Netiquette And A Green Internet To All! =====================================================================Tabula Rosa Systems - Tabula Rosa Systems (TRS) is dedicated to providing Best of Breed Technology and Best of Class Professional Services to our Clients. We have a portfolio of products which we have selected for their capabilities, viability and value. TRS provides product, design, implementation and support services on all products that we represent. Additionally, TRS provides expertise in Network Analysis, eBusiness Application Profiling, ePolicy and eBusiness Troubleshooting.
We can be contacted at:
firstname.lastname@example.org or 609 818 1802.===============================================================
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
Anyone who would like to review the book and have it posted on my blog or website, please contact me email@example.com.
In addition to this blog, I maintain a radio show on BlogtalkRadio online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahooa member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
Additionally, I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology market.