Security News New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I would say more. AV's are becoming obsolete with tools like VodooShield or AppGuard and the only problem is that the majority of the people cannot understand how those tools are working and they completely rely on AV's and disable their common sense. Our mission is to educate people around us and show them alternatives for highly overrated security suites.
Default-deny and good browsing habits are the best security combo.
Amen pablozi, well spoken. :cool:
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
5

509322

...AppGuard and the only problem is that the majority of the people cannot understand how those tools are working...

It's really not that difficult. The concepts are not mind-boggling. System Space|User Space concepts with some informative, practical instruction and people begin to grasp the product quickly.
 
5

509322

A report hits the security forums and, as usual, it almost invariably and immediately gets over-inflated. People cursorily read the article without studying it carefully and without doing any kind of online research - see the word "bypass" somewhere in the article - and cry "infection vector !" and begin the mandatory FUD scuzzlebutt campaigns (there's a guy over at Wilders that has made it a full-time career) - and make the move to start demanding additional protection features from their vendor(s) of choice.

Most of the time the articles are not written in an easily understood manner that a lay-person can connect to their home system in practical, concrete terms... whether or not it even applies to them.
 
Last edited by a moderator:
  • Like
Reactions: Deleted member 178

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
It's been around forever - so don't get bent out of shape about it.
The vulnerability is known since many years but now the code is public as the effect on AV/the fact the miss it.
The question is, if it is known since so many years and user should not worry too much, why nobody (msft, AV) fixed it?
The fact most AV don't detect it (still) and virtually every program can be injected/used maliciously is not reassuring.
I'm still reading about it but still need to find a good page that makes clarity on this issue and on how to avoid it.
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
The vulnerability is known since many years but now the code is public as the effect on AV/the fact the miss it.
The question is, if it is known since so many years and user should not worry too much, why nobody (msft, AV) fixed it?
The fact most AV don't detect it (still) and virtually every program can be injected/used maliciously is not reassuring.
I'm still reading about it but still need to find a good page that makes clarity on this issue and on how to avoid it.
Maybe these things just doesn't happen often enough.
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
It's really not that difficult. The concepts are not mind-boggling. System Space|User Space concepts with some informative, practical instruction and people begin to grasp the product quickly.
The initial hurdle can't be the only thing that will stop them. Even then, there seems to be no change still. It's not just the matter of can it be implemented, but will it?
 

Captain Awesome

Level 23
Verified
Top Poster
Well-known
May 7, 2016
1,285
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.
Microsoft tool exploit DoubleAgent can turn antivirus software into your worst enemy
 
  • Like
Reactions: Solarquest

Aura

Level 20
Verified
Jul 29, 2014
966
From the same article in the post just above yours.

Microsoft issued the following statement through a company spokespesron: "The technique described in the report requires an already-compromised machine and only affects third-party applications that don't use Protected Processes." Protected Processes is a Microsoft security model and code integrity service first offered with Windows 8.1 that enables AV vendors launch their to anti-malware user-mode services as a protected service by allowing only trusted, signed code to load. It also includes built-in defense against code injection attacks and other admin-level attacks. Cybellum noted in its post that no AV software, other than Microsoft's very own product, uses this service.
 
  • Like
Reactions: Der.Reisende
5

509322

The vulnerability is known since many years but now the code is public as the effect on AV/the fact the miss it.
The question is, if it is known since so many years and user should not worry too much, why nobody (msft, AV) fixed it?
The fact most AV don't detect it (still) and virtually every program can be injected/used maliciously is not reassuring.
I'm still reading about it but still need to find a good page that makes clarity on this issue and on how to avoid it.

It's not something to fret about.

There have been malware in the past that used the technique.

AppVerif has to be on your system...
 
5

509322

This thread is typical over-inflation of an IT security article along with FUD scuzzlebutt.
 
5

509322

If you block the 2 keys don't you "just" block the persistence mechanism?

The answer is in the article that you posted:

"Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top