Threat Intelligence

04:45 PM
Connect Directly

Windows 'DoubleAgent' Attack Turns AV Tools into Malware

Zero-day attack exploits a legitimate process in Windows, according to Cybellum; AV vendors downplay threat.

[This article was updated on 3/23/17 at 2:40pmET]

Several antivirus vendors today downplayed a dramatic report warning of a zero-day exploit for compromising AV tools and turning them against the very systems they are designed to protect.

The attack, dubbed DoubleAgent, takes advantage of a legitimate Windows tool called Microsoft Application Verifier and works against AV products from numerous vendors including Symantec, Trend Micro, Kaspersky Lab, ESET, and others, security vendor Cybellum said in an alert this week.

The exploit gives attackers a way to turn an antivirus product from any of these vendors into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system, Cybellum said. Most importantly, since the malware would masquerade as an AV product, it would also give attackers a way to maintain persistence on a compromised system for as long as they wanted.

"DoubleAgent gives the attacker the ability to control the AV without being detected, while keeping the illusion that the AV is working normally," says Slava Bronfman, cofounder and CEO of Cybellum.

Bronfman says researchers from the company discovered the issue a few months ago and immediately reported it to Microsoft and the affected AV vendors.

"We have reported all the vendors more than 90 days ago, and gave them plenty of time to patch it," Bronfman says. "The responsible thing to do now is to publish it, since attackers are examining other vendor patches and might use this attack."

DoubleAgent takes advantage of an undocumented feature in Microsoft Application Verifier that has been around since at least Windows XP. Application Verifier is a Windows feature that lets developers do runtime verifications of their applications for finding and fixing security issues.

The undocumented feature that Cybellum researchers discovered gives attackers a way to replace the legitimate verifier with a rogue verifier so they can gain complete control of the application.

The technique can be used to hijack any application, not just AV tools, Bronfman says. Attackers do not even need to alter the proof-of-concept code that Cybellum released this week to attack an application. "You just execute it with the requested application name and it would automatically attack it, no matter if it's an antivirus or a different application," he says. "Every script kiddie can just compile it, include his malicious code, and use it right away."

Because the attack exploits a legitimate Windows tool, there's little Microsoft can do to patch against it, adds Bronfman. "The only thing that can be done to mitigate the problem is per-application mitigation," he says.

AV vendors would need to figure out if the Microsoft verifier tool can be used against their software and then figure out a way to block it, according to Bronfman. "DoubleAgent works against any application that doesn't specifically protect itself against DoubleAgent" he says.

But several security vendors say the threat posed by the DoubleAgent attack is less dramatic than it might first appear.

"This requires an attacker to be able to write to the Windows registry, which is something normally restricted to those with Administrator access," says Dustin Childs, director of communication for Trend Micro’s Zero Day Initiative. In order to pull off the attack, a threat actor would already need to be in control of a system, he says.

"One area where this issue could be impactful is maintaining access to a compromised system by increasing their chance of persistence," Childs says.

Jon Clay, director of global threat communications for Trend Micro, adds that the company’s Trend Micro Consumer endpoint product is vulnerable to DoubleAgent, but a patch for it is already available.

A spokeswoman from ESET confirmed that the company’s AV product for Windows is vulnerable to the DoubleAgent attack. But she add that the severity of the threat is considered very low since attackers would first need to have all necessary admin right on the victim machine. [UPDATE] ESET on Thursday announced it has a fix for the issue. [END OF UPDATE]

In an emailed statement, a Symantec spokesperson maintained that an attacker would need admin rights plus physical access to a machine—something that Bronfman refutes—in order to pull off an attack. "We confirmed that this PoC does not exploit a product vulnerability within Norton Security," the spokesperson said. "We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."

[UPDATE 3/23]: Two AV vendors Thursday said they already have a fix for the issue while a third said it working on one.

In a statement, Kaspersky Lab said that as of March 22, its AV products have been updated with capabilities for detecting and blocking the DoubleAgent attack. Like the other vendors, the company noted that an attacker would need to have previously compromised a system and escalated privileges on the device in order to register a new Application Verifier Provider. "This vulnerability allows the attacker to inject code into most OS processes, not just security solutions," the company said. "Kaspersky Lab recommends that all customers keep their security solutions up to date and do not disable behavior-based detection features.”

AV vendor Avast said it implemented a fix for its products soon after Cybellum reported the issue to the company via its Bug Bounty program. Avast said in a statement that based on its evaluation of the things an attacker would first need to do to pull off a DoubleAgent type attack, Cybellum’s own emphasis on the risk posed by the exploits is "overstated." 

F-Secure, meanwhile said in a statement, contends that the flaw is not a zero-day: "Scenarios where an attacker has already compromised a machine and elevated themselves to admin are well-known in the cyber security industry. The described method, while an interesting academic exercise, was initially presented by Alex Ionescu at several conferences during 2015. It is thus not a zero-day attack," F-Secure said. F-Secure is working on a fix for affected products and will roll it out as soon as ready, the company said. [END OF UPDATE]

Microsoft declined a request for comment on DoubleAgent.

Meanwhile, Microsoft already provides a mechanism called Protected Processes that is designed to protect AV products against code-injection attacks such as DoubleAgent.

The Protected Processes infrastructure ensures that only trusted and digitally signed can run, so any attempt to inject a rogue verifier into an AV product would not work. But Microsoft’s own Windows Defender currently is the only tool to implement Protected Processes, although it has been available to third parties for more than three years.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/23/2017 | 1:42:35 AM
Thanks for sharing windows double agent attack turns av tools in to is nice
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-21
A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI. The vulnerability is due to...
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 1 of 2).
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 2 of 2).
PUBLISHED: 2019-02-21
The web interface on FASTGate Fastweb devices with firmware through 0.00.47_FW_200_Askey 2017-05-17 (software through 1.0.1b) exposed a CGI binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges. No authentication is...
PUBLISHED: 2019-02-21
Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSusp (GetSusp) and earlier allows attackers to DoS a manual GetSusp scan via while scanning a specifically crafted file . GetSusp is a free standalone McAfee tool that runs on several versions of Microsoft Windows.