Dubbed DoubleAgent, the new injecting code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10.
What's worse? DoubleAgent exploits a 15-years-old undocumented legitimate feature of Windows called "Application Verifier," which cannot be patched.
Application Verifier is a runtime verification tool that loads DLLs (dynamic link library) into processes for testing purpose, allowing developers quickly detect and fix programming errors in their applications.
Unpatchable Microsoft Application Verifier Exploit
The vulnerability resides in how this Application Verifier tool handles DLLs. According to the researchers, as part of the process, DLLs are bound to the target processes in a Windows Registry entry, but attackers can replace the real DLL with a malicious one.
Also Read: Hacker Reveals Easiest Way to Hijack Privileged Windows User Session Without Password
Simply by creating a Windows Registry key with the name same as application he wants to hijack, an attacker can provide his own custom verifier DLL he would like to inject into a legitimate process of any application.
Once the custom DLL has been injected, the attacker can take full control of the system and perform malicious actions, such as installing backdoors and persistent malware, hijacking the permissions of any existing trusted process, or even hijacking other users’ sessions.
Here's how the Cybellum researchers say this attack can work:
"DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself."
Using DoubleAgent Attack to Take Full Control of Anti-Virus
The team was able to corrupt the anti-virus app using the DoubleAgent attack and get the security software to act as disk-encrypting ransomware.
Also Read: Microsoft Started Blocking Windows 7/8.1 Updates For PCs Running New Processors
The attack works on every version of Windows OS from Windows XP to Windows 10 and is hard to block because the malicious code can be re-injected into the targeted legitimate process after the system reboots – Thanks to the persistent registry key.
The researchers said most of the today's security products on the market are susceptible to the DoubleAgent attacks. Here's the list of affected security products:
- Avast (CVE-2017-5567)
- AVG (CVE-2017-5566)
- Avira (CVE-2017-6417)
- Bitdefender (CVE-2017-6186)
- Trend Micro (CVE-2017-5565)
- Quick Heal
After hijacking the anti-virus software, attackers can also use the DoubleAgent attack to disable the security product, making it blind to malware and cyber attacks, using the security product as a proxy to launch attacks on the local computer or network, elevating the user privilege level of all malicious code, hiding malicious traffic or exfiltrate data, or damaging the OS or causing a denial of service.
Note: Cybellum researchers only focused on anti-virus programs, though the DoubleAgent attack could work with any application, even Windows operating system itself.
Many Antiviruses Still Unpatched Even After 90 Days Of Responsible Disclosure
Cybellum said the company had reported the DoubleAgent attack to all affected anti-virus vendors more than 90 days ago.
Cybellum researchers have been working with some anti-virus companies to patch the issue, but so far, only Malwarebytes and AVG have released a patch, while Trend-Micro has planned to release one soon, as well.
So, if you use any of the three apps mentioned above, you are strongly advised to update it as soon as possible.
As a mitigation, the researchers note that the simplest fix for antivirus vendors is to switch from Application Verifier to a newer architecture called Protected Processes.
Protected processes mechanism protects anti-malware services against such attacks by not allowing other apps from injecting unsigned code, but this mechanism has so far been implemented only in Windows Defender, which was introduced by Microsoft in Windows 8.1.
Cybellum has also provided a video demonstration of the DoubleAgent attack, showing how they turned an antivirus app into a ransomware that encrypts files until you pay up.
The company also posted proof-of-concept (PoC) code on GitHub, and two blog posts detailing the DoubleAgent attack.