Security News New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
  • Like
Reactions: Solarquest, LASER_oneXM, Deleted Member 3a5v73x and 2 others
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
pablozi said:
I would say more. AV's are becoming obsolete with tools like VodooShield or AppGuard and the only problem is that the majority of the people cannot understand how those tools are working and they completely rely on AV's and disable their common sense. Our mission is to educate people around us and show them alternatives for highly overrated security suites.
Default-deny and good browsing habits are the best security combo.
Click to expand...
Amen pablozi, well spoken. :cool:
 
  • Like
Reactions: frogboy, LASER_oneXM and Deleted Member 3a5v73x
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
  • Like
Reactions: frogboy, Solarquest, Deleted Member 3a5v73x and 1 other person
5

509322

pablozi said:
...AppGuard and the only problem is that the majority of the people cannot understand how those tools are working...
Click to expand...

It's really not that difficult. The concepts are not mind-boggling. System Space|User Space concepts with some informative, practical instruction and people begin to grasp the product quickly.
 
5

509322

A report hits the security forums and, as usual, it almost invariably and immediately gets over-inflated. People cursorily read the article without studying it carefully and without doing any kind of online research - see the word "bypass" somewhere in the article - and cry "infection vector !" and begin the mandatory FUD scuzzlebutt campaigns (there's a guy over at Wilders that has made it a full-time career) - and make the move to start demanding additional protection features from their vendor(s) of choice.

Most of the time the articles are not written in an easily understood manner that a lay-person can connect to their home system in practical, concrete terms... whether or not it even applies to them.
 
Last edited by a moderator:
  • Like
Reactions: Deleted member 178
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Lockdown said:
It's been around forever - so don't get bent out of shape about it.
Click to expand...
The vulnerability is known since many years but now the code is public as the effect on AV/the fact the miss it.
The question is, if it is known since so many years and user should not worry too much, why nobody (msft, AV) fixed it?
The fact most AV don't detect it (still) and virtually every program can be injected/used maliciously is not reassuring.
I'm still reading about it but still need to find a good page that makes clarity on this issue and on how to avoid it.
 
Handsome Recluse

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Solarquest said:
The vulnerability is known since many years but now the code is public as the effect on AV/the fact the miss it.
The question is, if it is known since so many years and user should not worry too much, why nobody (msft, AV) fixed it?
The fact most AV don't detect it (still) and virtually every program can be injected/used maliciously is not reassuring.
I'm still reading about it but still need to find a good page that makes clarity on this issue and on how to avoid it.
Click to expand...
Maybe these things just doesn't happen often enough.
 
Handsome Recluse

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Lockdown said:
It's really not that difficult. The concepts are not mind-boggling. System Space|User Space concepts with some informative, practical instruction and people begin to grasp the product quickly.
Click to expand...
The initial hurdle can't be the only thing that will stop them. Even then, there seems to be no change still. It's not just the matter of can it be implemented, but will it?
 
Captain Awesome

Captain Awesome

Level 24
Verified
Top Poster
Well-known
May 7, 2016
1,307
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.
Microsoft tool exploit DoubleAgent can turn antivirus software into your worst enemy
 
  • Like
Reactions: Solarquest
A

Aura

Level 20
Verified
Jul 29, 2014
966
From the same article in the post just above yours.

Microsoft issued the following statement through a company spokespesron: "The technique described in the report requires an already-compromised machine and only affects third-party applications that don't use Protected Processes." Protected Processes is a Microsoft security model and code integrity service first offered with Windows 8.1 that enables AV vendors launch their to anti-malware user-mode services as a protected service by allowing only trusted, signed code to load. It also includes built-in defense against code injection attacks and other admin-level attacks. Cybellum noted in its post that no AV software, other than Microsoft's very own product, uses this service.
Click to expand...
 
  • Like
Reactions: Der.Reisende
5

509322

Solarquest said:
The vulnerability is known since many years but now the code is public as the effect on AV/the fact the miss it.
The question is, if it is known since so many years and user should not worry too much, why nobody (msft, AV) fixed it?
The fact most AV don't detect it (still) and virtually every program can be injected/used maliciously is not reassuring.
I'm still reading about it but still need to find a good page that makes clarity on this issue and on how to avoid it.
Click to expand...

It's not something to fret about.

There have been malware in the past that used the technique.

AppVerif has to be on your system...
 
  • Like
Reactions: Der.Reisende and Solarquest
5

509322

This thread is typical over-inflation of an IT security article along with FUD scuzzlebutt.
 
5

509322

Solarquest said:
If you block the 2 keys don't you "just" block the persistence mechanism?
Click to expand...

The answer is in the article that you posted:

"Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process."
 
  • Like
Reactions: Der.Reisende and Solarquest
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
Security News Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
Replies
0
Views
534
Security News
[correlate]
[correlate]
Gandalf_The_Grey
    • Like
Security News New Windows Themes zero-day gets free, unofficial patches
Replies
0
Views
796
Security News
Gandalf_The_Grey
Gandalf_The_Grey
enaph
    • Like
    • Applause
Security News RCE Vulnerability in qBittorrent’s SSL Handling Patched After 14 Years
Replies
0
Views
720
Security News
enaph
enaph

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top