DoubleAgent Zero Day Threat

Researchers from Israeli Cyber Security Company Cybellum have discovered a zero day bug that impacts most of the versions of Windows. The attack works on every version of Windows OS from Windows XP to Windows 10 and is hard to block because the malicious code can be re-injected into the targeted legitimate process after the system reboots – thanks to the persistent registry key.

The researchers have said: Most of the today’s security products on the market are susceptible to this DoubleAgent attack. Instead of hiding and running away from the antivirus, attackers can now directly assault and hijack control over the antivirus.

Here’s the list of affected security products:

·    AVG (CVE-2017-5566)
·    Avast (CVE-2017-5567)
·    Avira (CVE-2017-6417)
·    Bitdefender (CVE-2017-6186)
·    Trend Micro (CVE-2017-5565)
·    Comodo
·    ESET
·    F-Secure
·    Kaspersky
·    Malwarebytes
·    McAfee
·    Panda
·    Quick Heal
·    Norton

How the attack works:

“The attack begins when the attacker injects code into the antivirus by exploiting a new Zero-Day vulnerability. Once inside, the attacker can fully control the antivirus. We named this attack DoubleAgent, as it turns your antivirus security agent into a malicious agent, giving an illusion that the antivirus protects you while actually it is abused in order to attack you.

After hijacking the anti-virus software, attackers can also use the DoubleAgent attack to disable the security product, making it blind to malware and cyber attacks, using the security product as a proxy to launch attacks on the local computer or network, elevating the user privilege level of all malicious code, hiding malicious traffic or exfiltrate data, or damaging the OS or causing a denial of service.

DoubleAgent exploits a 15 year old vulnerability which works on all versions of Microsoft Windows, starting from Windows XP right up to the latest release of Windows 10. The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organization that uses an antivirus. Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.

The attack has been tested and proven on all the major antiviruses as well as of all versions of Microsoft Windows. The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch.

How Does DoubleAgent Work?

DoubleAgent exploits a legitimate tool of Windows called ‘Microsoft Application Verifier’ which is a tool included in all versions of Microsoft Windows and is used as a runtime verification tool in order to discover and fix bugs in applications. Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application.

Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations”.

More technical information here and here.

Arrange a Conversation