Several antivirus products are affected by a design flaw that allows malware or a local attacker to abuse the "restore from quarantine" feature to send previously detected malware to sensitive areas of the user's operating system, helping the malware gain boot persistence with elevated privileges.
Florian Bogner, a security auditor at Kapsch, an Austrian cyber-security company, discovered the flaw, which he's keeping track under the codename of
AVGater.
Some antivirus vendors issued updates
Bogner says he notified all antivirus makers that he tested and found vulnerable. Today, the researcher
published his findings after some companies issued updates.
The list includes Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.
He says other companies will release fixes in the coming days, and that he doesn't rule out that other AV engines that he did not test may also be vulnerable.
How AVGater works
To better understand how the flaw works, it's easier to lay out a successful exploitation scenario:
Step 1 - User gets infected with malware
Step 2 - AV engine detects malware
Step 3 - AV engine moves malware to quarantine
Step 4 - A local attacker with non-admin access runs an exploit on the affected system. This exploit code uses NTFS directory junctions to manipulate the quarantined sample's original file location.
Step 5 - Attacker initiates a "Restore from quarantine" operation.
Step 6 - Infected file is sent back to its location, but the NTFS junction relays that file to a sensitive folder inside C:\Windows. A non-admin user would not be able to copy files inside this folder, but antivirus programs work under SYSTEM privileges, which means the file restored from quarantine will be sent to that folder without triggering errors or alerts.
Step 7 -Because some Windows services or core processes are designed to load/run all DLLs stored in specific Windows directories, when the user reboots his PC the next time, the previously quarantined file will run at startup as part of a Windows service or whitelisted app.
The entire attack is devilishly clever, allowing for both boot persistence and privilege escalation, but still relies on attackers with physical access to the machine, a serious limitation in most cases.
