Security News New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
some quotes from the article above:

A new technique named DoubleAgent, discovered by security researchers from Cybellum, allows an attacker to hijack security products and make them take malicious actions.

The DoubleAgent attack was uncovered after Cybellum researchers found a way to exploit Microsoft's Application Verifier mechanism to load malicious code inside other applications.


DoubleAgent attack leverages Microsoft's Application Verifier

The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check. Cybellum researchers discovered that developers could load their own "verifier DLL" instead of the one provided by the official Microsoft Application Verifier.
Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process.

Several antivirus makers affected

Cybellum researchers say that most of today's security products are susceptible to DoubleAgent attacks. The list of affected products includes:

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Comodo
ESET
F-Secure
Kaspersky
Malwarebytes
McAfee
Panda
Quick Heal
Norton




DoubleAgent morphs security products into malware

The DoubleAgent attack is extremely dangerous, as it hijacks the security product, effectively disabling it. Depending on an attacker's skill level, he could use the DoubleAgent flaw to load malicious code that:

  • Turns the security product off
  • Makes the security product blind to certain malware/attacks
  • Uses the security product as a proxy to launch attacks on the local computer/network
  • Elevates the user privilege level of all malicious code (security products typically run with the highest privileges)
  • Use the security product to hide malicious traffic or exfiltrate data
  • Damage the OS or the computer
  • Cause a Denial of Service
By design, the DoubleAgent attack is both a code injection technique and a persistence mechanism, as it allows an attacker to re-inject the malicious DLL inside a targeted process after each boot, thanks to the registry key.
 
5

509322

I'm curious of a couple things.
1. How results on detection for this file in the Malware Hub.

It's a Proof-of-Concept (PoC) - it isn't in the wild - so there is no malware to collect, submit\scan for detection, or test against security softs mentioned.

Besides, if I recall correctly, AppVerif.exe is digitally signed by Microsoft... and no AV is going to detect a legit Microsoft programming troubleshooting utility.
 
Last edited by a moderator:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Does that means Qihoo, Emsisoft etc are not affected? There's no mention that they were affected by the CIA hack (see below)

The full list of security products included in the WikiLeaks Vault 7 dump are as follows:

Comodo
Avast
F-Secure
Zemana Antilogger
Zone Alarm
Trend Micro
Symantec
Rising
Panda Security
Norton
Malwarebytes Anti-Malware
EMET (Enhanced Mitigation Experience Toolkit)
Microsoft Security Essentials
McAfee
Kaspersky
GDATA
ESET
ClamAV
Bitdefender
Avira
AVG
 
Last edited:
5

509322

That's one of my goals this year and I'm only with appguard lockdown mode and windows defender disabled :), awesome difference than traditional AV.

Enable Windows Defender or use your AV of choice.

Disabling Windows Defender is not recommended.

We don't recommend abandoning antivirus and firewall, but at the same time that doesn't mean you need to install a 1 GB internet suite.

At home, behind a NAT router you really do not need anything other than Windows Firewall to cover your firewall needs.

Enable Windows Defender and use Windows Firewall Control (Secure Rules).
 

larry goes to church

Level 3
Verified
Mar 10, 2017
103
Does that means Qihoo, Emsisoft etc are not affected? There's no mention that they were affected by the CIA hack (see below)

The full list of security products included in the WikiLeaks Vault 7 dump are as follows:

Comodo
Avast
F-Secure
Zemana Antilogger
Zone Alarm
Trend Micro
Symantec
Rising
Panda Security
Norton
Malwarebytes Anti-Malware
EMET (Enhanced Mitigation Experience Toolkit)
Microsoft Security Essentials
McAfee
Kaspersky
GDATA
ESET
ClamAV
Bitdefender
Avira
AVG
The CIA pretty much owned most majo AVs by the looks of it ahaha
 

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,787
Just my guess but I think that vulnerabilities of antivirus (mainly big names) are becoming more frequent. AV is not enough and is becoming useless
I would say more. AV's are becoming obsolete with tools like VodooShield or AppGuard and the only problem is that the majority of the people cannot understand how those tools are working and they completely rely on AV's and disable their common sense. Our mission is to educate people around us and show them alternatives for highly overrated security suites.
Default-deny and good browsing habits are the best security combo.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
That's one of my goals this year and I'm only with appguard lockdown mode and windows defender disabled :), awesome difference than traditional AV.
About the signatures we have already written rivers of words.
Behavior blocker can sometimes prove to be unable to counteract some of the new malware that regularly appear. Let's take an example: suppose that a X vendor has developed a behavior blocker can detect 100% of the current malware in circulation. What would be the reaction of the malcoders in the circumstances? For sure they would invent a method completely different to be able to infect the computer victim, invisible to this BB. At this point, this BB would need to see urgent updates for its rules for the recognition of behaviors.
But malwriters can constantly find new ways to circumvent the protective action of the new updates. In the end, inevitably, and probably we will see the same situation as the signatures scanning; in fact, the signatures of the malware may be in the form of “behaviours”, instead of “code fragments”.
Default Deny/Lockdown Mode would be a more manageable condition.
 

BugCode

Level 10
Verified
Well-known
Jan 9, 2017
468
"Shortly"; it is a endless war! But "they" found sooner or later vulnerabilities when you power on your PC (if they want). As guru's has already saying, there's no 100% bulletproof security. But you can reduce the risk like default deny lockdown / CF (cs-settings) etc. And last but not least common sense & safe habits!. Well as all the thing in the world, they who have more money have more power! It's a cruel world. But there are always people behind the "curtain" who wanna play a game & that game is endless!
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
About the signatures we have already written rivers of words.
Behavior blocker can sometimes prove to be unable to counteract some of the new malware that regularly appear. Let's take an example: suppose that a X vendor has developed a behavior blocker can detect 100% of the current malware in circulation. What would be the reaction of the malcoders in the circumstances? For sure they would invent a method completely different to be able to infect the computer victim, invisible to this BB. At this point, this BB would need to see urgent updates for its rules for the recognition of behaviors.
But malwriters can constantly find new ways to circumvent the protective action of the new updates. In the end, inevitably, and probably we will see the same situation as the signatures scanning; in fact, the signatures of the malware may be in the form of “behaviours”, instead of “code fragments”.
Default Deny/Lockdown Mode would be a more manageable condition.

I think we need all 3:
- common sense and more security awareness, information
- Default Deny/Lockdown Mode
-BB: the more they improve the less ways will be available to hide from them/more difficult it will be to bypass them.
 

Fel Grossi

Level 13
Verified
Top Poster
Well-known
Jan 17, 2014
619
Discussions in Comodo forum..

Hi Guys,
It's Michael from Cybellum here.
First of all I would like to give a lot of credit to Comodo as it was one of the most challenging antiviruses to attack with DoubleAgent.
Comodo implemented a very interesting feature called CIS Protected Registry Keys which in fact was supposed to block DoubleAgent-like attacks.

We struggled at the beginning and indeed Comodo managed to block most attempts to attack it via DoubleAgent.
It was tricky, but eventually we succeeded, and Comodo is vulnerable to DoubleAgent just like all the other antiviruses.

I took the time and effort to upload a POC video showing DoubleAgent successfully attacking Comodo
This video was done a few minutes ago, so it obviously affects the latest version of Comodo.

The Comodo attack is the only one that doesn't use our publicly available POC code, but rather a different private code.
We decided not to share the private code in order to protect Comodo users, but Egemen (from Comodo) have received it and is aware of it.
Egemen has done a great work communicating with us, and hopefully a new patch would be released soon to close Comodo's vulnerability to DoubleAgent.


Michael Engstler
Co-Founder & CTO, Cybellum



Answers from egemen (Comodo engineer)

Correct. The PoC we have is a new COMODO specific issue which can allow attacker to do a few things with default configuration. Default config needs to be slightly changed. See below for configuration changes to cover this PoC as well.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top