some quotes from the article above:
A new technique named DoubleAgent, discovered by security researchers from Cybellum, allows an attacker to hijack security products and make them take malicious actions.
The DoubleAgent attack was uncovered after Cybellum researchers found a way to exploit Microsoft's Application Verifier mechanism to load malicious code inside other applications.
DoubleAgent attack leverages Microsoft's Application Verifier
The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check. Cybellum researchers discovered that developers could load their own "verifier DLL" instead of the one provided by the official Microsoft Application Verifier.
Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process.
Several antivirus makers affected
Cybellum researchers say that most of today's security products are susceptible to DoubleAgent attacks. The list of affected products includes:
Trend Micro (CVE-2017-5565)
DoubleAgent morphs security products into malware
The DoubleAgent attack is extremely dangerous, as it hijacks the security product, effectively disabling it. Depending on an attacker's skill level, he could use the DoubleAgent flaw to load malicious code that:
By design, the DoubleAgent attack is both a code injection technique and a persistence mechanism, as it allows an attacker to re-inject the malicious DLL inside a targeted process after each boot, thanks to the registry key.
- Turns the security product off
- Makes the security product blind to certain malware/attacks
- Uses the security product as a proxy to launch attacks on the local computer/network
- Elevates the user privilege level of all malicious code (security products typically run with the highest privileges)
- Use the security product to hide malicious traffic or exfiltrate data
- Damage the OS or the computer
- Cause a Denial of Service