Cybersecurity researchers have discovered a zero-day vulnerability that would enable attackers to gain access to many major antivirus software brands on the market today and use the software to hijack a user's computer.
Researchers from Israel-based cybersecurity firm Cybellum have found that a 15-year-old legitimate feature of Windows called Microsoft Application Verifier that exists in every single version of the operating system can be exploited to enable hackers to inject malicious code into computers.
Instead of trying to hide from antivirus software, the technique enables attackers to seize control of the antivirus and install malware that hijacks the user's machine to do pretty much anything the hacker wants, from installing backdoors to sending data out to the hacker's server or stealing and encrypting user data.
The flaw affects all major antivirus products like Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Quick Heal and Trend Micro, as well as many other small brands.
Malwarebytes, AVG, Trend Micro, Kaspersky Lab, ESET and Avast have all issued statements that they have patched the bug, while Comodo and Symantec claim that their products were either not vulnerable or provide protections able to negate such an attack.
In the case of Norton, owned by Symantec, this is particularly interesting, seeing as the researchers claim their proof of concept demonstration was able to take over the latest version of Norton Antivirus using the method described (see video below).
How the attack works
One of the processes needed to make software run properly on a computer is runtime verification, where the operating system double checks that the software program is doing what it should. To make this work, when you install a new programme on your PC, the software's creators use a Microsoft tool that creates an application verifier provider DLL and then adds it to the Windows Registry by creating a new set of keys.
Once this DLL has been registered, Windows automatically injects the DLL into any relevant process every time it loads, because the DLL is now trusted as being central to making the computer run properly.
So, if you were to create a malicious DLL and register it, Windows Loader would inject the malicious DLL into the antivirus program, and then you could take it over from within. You could also use this method to inject DLLs straight into the processes on the PC you do want to take over, and the antivirus wouldn't detect any malicious activity at all.
This attack method concerning the Windows Application Verifier is so far undocumented, so it remains a part of all Windows operating systems. However Cybellum says that cybersecurity researchers have been discussing how it could be used to attack machines since 2011.
Restricting local admin access could solve this problem
"Attackers are always evolving and finding new zero-day attacks. We need to make more efforts to detect and prevent these attacks, and stop blindly trusting traditional security solutions, that as shown here, are not only ineffective against zero-days but also open new opportunities for the attacker to create complicated and deadly attacks," Cybellum's cofounder and CTO Michael Engstler writes in a blog post.
However, Cybellum stresses that even after hackers have performed the attack and compromised the computer, they will still need to find ways to steal data without being detected, as their other activities might still be detected by the antivirus.
"Whilst the research and results of DoubleAgent are interesting, it should be noted that administrator privileges would most likely be required to successfully hijack the target executables. If an attacker has admin privileges on an end point, this could become a sneaky method of hiding code and gaining persistence, but it's doubtful this will become a major attack vector for malware and ransomware," Tenable Network Security's EMEA technical director Gavin Millard told IBTimes UK.
"The approach of least privilege, using the operating system with a standard user account rather than administrator and restricting local admin access, should mitigate this or make it exceedingly difficult to successfully exploit. "
Even though Avast patched the vulnerability, the firm says that it doesn't think the vulnerability is hugely concerning.
"We were alerted by Cybellum last year through our Bug Bounty program to a potential self-defence bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable," Avast's CTO Ondrej Vlcek told IBTimes UK.
"It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated."