Windows 'DoubleAgent' Attack Turns AV Tools into Malware

[This article was updated on 3/23/17 at 2:40pmET]

Several antivirus vendors today downplayed a dramatic report warning of a zero-day exploit for compromising AV tools and turning them against the very systems they are designed to protect.

The attack, dubbed DoubleAgent, takes advantage of a legitimate Windows tool called Microsoft Application Verifier and works against AV products from numerous vendors including Symantec, Trend Micro, Kaspersky Lab, ESET, and others, security vendor Cybellum said in an alert this week.

The exploit gives attackers a way to turn an antivirus product from any of these vendors into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system, Cybellum said. Most importantly, since the malware would masquerade as an AV product, it would also give attackers a way to maintain persistence on a compromised system for as long as they wanted.

"DoubleAgent gives the attacker the ability to control the AV without being detected, while keeping the illusion that the AV is working normally," says Slava Bronfman, cofounder and CEO of Cybellum.

Bronfman says researchers from the company discovered the issue a few months ago and immediately reported it to Microsoft and the affected AV vendors.

"We have reported all the vendors more than 90 days ago, and gave them plenty of time to patch it," Bronfman says. "The responsible thing to do now is to publish it, since attackers are examining other vendor patches and might use this attack."

DoubleAgent takes advantage of an undocumented feature in Microsoft Application Verifier that has been around since at least Windows XP. Application Verifier is a Windows feature that lets developers do runtime verifications of their applications for finding and fixing security issues.

The undocumented feature that Cybellum researchers discovered gives attackers a way to replace the legitimate verifier with a rogue verifier so they can gain complete control of the application.

The technique can be used to hijack any application, not just AV tools, Bronfman says. Attackers do not even need to alter the proof-of-concept code that Cybellum released this week to attack an application. "You just execute it with the requested application name and it would automatically attack it, no matter if it's an antivirus or a different application," he says. "Every script kiddie can just compile it, include his malicious code, and use it right away."

Because the attack exploits a legitimate Windows tool, there's little Microsoft can do to patch against it, adds Bronfman. "The only thing that can be done to mitigate the problem is per-application mitigation," he says.

AV vendors would need to figure out if the Microsoft verifier tool can be used against their software and then figure out a way to block it, according to Bronfman. "DoubleAgent works against any application that doesn't specifically protect itself against DoubleAgent" he says.

But several security vendors say the threat posed by the DoubleAgent attack is less dramatic than it might first appear.

"This requires an attacker to be able to write to the Windows registry, which is something normally restricted to those with Administrator access," says Dustin Childs, director of communication for Trend Micro’s Zero Day Initiative. In order to pull off the attack, a threat actor would already need to be in control of a system, he says.

"One area where this issue could be impactful is maintaining access to a compromised system by increasing their chance of persistence," Childs says.

Jon Clay, director of global threat communications for Trend Micro, adds that the company’s Trend Micro Consumer endpoint product is vulnerable to DoubleAgent, but a patch for it is already available.

A spokeswoman from ESET confirmed that the company’s AV product for Windows is vulnerable to the DoubleAgent attack. But she add that the severity of the threat is considered very low since attackers would first need to have all necessary admin right on the victim machine. [UPDATE] ESET on Thursday announced it has a fix for the issue. [END OF UPDATE]

In an emailed statement, a Symantec spokesperson maintained that an attacker would need admin rights plus physical access to a machine—something that Bronfman refutes—in order to pull off an attack. "We confirmed that this PoC does not exploit a product vulnerability within Norton Security," the spokesperson said. "We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."

[UPDATE 3/23]: Two AV vendors Thursday said they already have a fix for the issue while a third said it working on one.

In a statement, Kaspersky Lab said that as of March 22, its AV products have been updated with capabilities for detecting and blocking the DoubleAgent attack. Like the other vendors, the company noted that an attacker would need to have previously compromised a system and escalated privileges on the device in order to register a new Application Verifier Provider. "This vulnerability allows the attacker to inject code into most OS processes, not just security solutions," the company said. "Kaspersky Lab recommends that all customers keep their security solutions up to date and do not disable behavior-based detection features.”

AV vendor Avast said it implemented a fix for its products soon after Cybellum reported the issue to the company via its Bug Bounty program. Avast said in a statement that based on its evaluation of the things an attacker would first need to do to pull off a DoubleAgent type attack, Cybellum’s own emphasis on the risk posed by the exploits is "overstated." 

F-Secure, meanwhile said in a statement, contends that the flaw is not a zero-day: "Scenarios where an attacker has already compromised a machine and elevated themselves to admin are well-known in the cyber security industry. The described method, while an interesting academic exercise, was initially presented by Alex Ionescu at several conferences during 2015. It is thus not a zero-day attack," F-Secure said. F-Secure is working on a fix for affected products and will roll it out as soon as ready, the company said. [END OF UPDATE]

Microsoft declined a request for comment on DoubleAgent.

Meanwhile, Microsoft already provides a mechanism called Protected Processes that is designed to protect AV products against code-injection attacks such as DoubleAgent.

The Protected Processes infrastructure ensures that only trusted and digitally signed can run, so any attempt to inject a rogue verifier into an AV product would not work. But Microsoft’s own Windows Defender currently is the only tool to implement Protected Processes, although it has been available to third parties for more than three years.

Related stories: