Welcome Stranger to OCC!Login | Register

Method Found to Inject Malware Into Antiviruses and Other Programs

Category: Bugs / Virus
Posted: 02:15PM
Author:

Researchers at Cybellum, a security company focused on zero-day attacks, have discovered a means to use a Microsoft tool to inject malicious code into processes, including security processes. The tool is the Microsoft Application Verifier, which has been a part of Windows since XP and is meant to help developers find programming errors. It does this by loading a "verifier provider DLL" into the process for runtime testing, and once this has been done the DLL is added to the registry as a provider DLL for that program. After this happens, Windows will automatically inject the DLL into every process with the registered name. What Cybellum discovered is that it is possible to register a malicious DLL that will then be loaded into a security product or any program, hijacking it for a variety of purposes. This means it could be used to turn a piece of malware into an advanced persistent threat that survives reboots.

The researchers have named this attack DoubleAgent and it works in every version of Windows, including Windows 10. Also, because it is a legitimate tool there is no way to block the technique from being used, just the malicious attack. Cybellum has made several vendors aware of the issue, but not all have responded yet. AVG, Kaspersky, Malwarebytes, and Trend Micro have already responded to fix this vulnerability. Other notified vendors include Avast, Avira, Bitdefender, ESET, F-Secure, McAfee, Panda, Quick Heal, and Symantec (Norton). Comodo was also notified but claimed they were not vulnerable, however it has been demonstrated that they are, but it is more difficult and involves a different, unreleased proof-of-concept of the DoubleAgent attack. Cybellum published its findings after the vendors had more than 90 days to check if their products were vulnerable.

Cybellum has also stated that it is possible to stop DoubleAgent attacks using protected processes, a concept from Windows 8.1 that protects anti-malware services. This protection has only been added to Windows Defender though. The video below demonstrates the attack on Norton.

 

 

Source: SecurityWeek and Cybellum



Register as a member to subscribe comments.
HarryTaco on March 26, 2017 14:16

Thanks for that.  It would pay to keep an eye on this news to see what new developments and remedies occur.


This news has comment postings disabled because it is now archived.

© 2001-2017 Overclockers Club ® Privacy Policy
Elapsed: 0.0527570248   (xlweb1)