Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:45 PM
Connect Directly

Windows 'DoubleAgent' Attack Turns AV Tools into Malware

Zero-day attack exploits a legitimate process in Windows, according to Cybellum; AV vendors downplay threat.

[This article was updated on 3/23/17 at 2:40pmET]

Several antivirus vendors today downplayed a dramatic report warning of a zero-day exploit for compromising AV tools and turning them against the very systems they are designed to protect.

The attack, dubbed DoubleAgent, takes advantage of a legitimate Windows tool called Microsoft Application Verifier and works against AV products from numerous vendors including Symantec, Trend Micro, Kaspersky Lab, ESET, and others, security vendor Cybellum said in an alert this week.

The exploit gives attackers a way to turn an antivirus product from any of these vendors into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system, Cybellum said. Most importantly, since the malware would masquerade as an AV product, it would also give attackers a way to maintain persistence on a compromised system for as long as they wanted.

"DoubleAgent gives the attacker the ability to control the AV without being detected, while keeping the illusion that the AV is working normally," says Slava Bronfman, cofounder and CEO of Cybellum.

Bronfman says researchers from the company discovered the issue a few months ago and immediately reported it to Microsoft and the affected AV vendors.

"We have reported all the vendors more than 90 days ago, and gave them plenty of time to patch it," Bronfman says. "The responsible thing to do now is to publish it, since attackers are examining other vendor patches and might use this attack."

DoubleAgent takes advantage of an undocumented feature in Microsoft Application Verifier that has been around since at least Windows XP. Application Verifier is a Windows feature that lets developers do runtime verifications of their applications for finding and fixing security issues.

The undocumented feature that Cybellum researchers discovered gives attackers a way to replace the legitimate verifier with a rogue verifier so they can gain complete control of the application.

The technique can be used to hijack any application, not just AV tools, Bronfman says. Attackers do not even need to alter the proof-of-concept code that Cybellum released this week to attack an application. "You just execute it with the requested application name and it would automatically attack it, no matter if it's an antivirus or a different application," he says. "Every script kiddie can just compile it, include his malicious code, and use it right away."

Because the attack exploits a legitimate Windows tool, there's little Microsoft can do to patch against it, adds Bronfman. "The only thing that can be done to mitigate the problem is per-application mitigation," he says.

AV vendors would need to figure out if the Microsoft verifier tool can be used against their software and then figure out a way to block it, according to Bronfman. "DoubleAgent works against any application that doesn't specifically protect itself against DoubleAgent" he says.

But several security vendors say the threat posed by the DoubleAgent attack is less dramatic than it might first appear.

"This requires an attacker to be able to write to the Windows registry, which is something normally restricted to those with Administrator access," says Dustin Childs, director of communication for Trend Micro’s Zero Day Initiative. In order to pull off the attack, a threat actor would already need to be in control of a system, he says.

"One area where this issue could be impactful is maintaining access to a compromised system by increasing their chance of persistence," Childs says.

Jon Clay, director of global threat communications for Trend Micro, adds that the company’s Trend Micro Consumer endpoint product is vulnerable to DoubleAgent, but a patch for it is already available.

A spokeswoman from ESET confirmed that the company’s AV product for Windows is vulnerable to the DoubleAgent attack. But she add that the severity of the threat is considered very low since attackers would first need to have all necessary admin right on the victim machine. [UPDATE] ESET on Thursday announced it has a fix for the issue. [END OF UPDATE]

In an emailed statement, a Symantec spokesperson maintained that an attacker would need admin rights plus physical access to a machine—something that Bronfman refutes—in order to pull off an attack. "We confirmed that this PoC does not exploit a product vulnerability within Norton Security," the spokesperson said. "We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."

[UPDATE 3/23]: Two AV vendors Thursday said they already have a fix for the issue while a third said it working on one.

In a statement, Kaspersky Lab said that as of March 22, its AV products have been updated with capabilities for detecting and blocking the DoubleAgent attack. Like the other vendors, the company noted that an attacker would need to have previously compromised a system and escalated privileges on the device in order to register a new Application Verifier Provider. "This vulnerability allows the attacker to inject code into most OS processes, not just security solutions," the company said. "Kaspersky Lab recommends that all customers keep their security solutions up to date and do not disable behavior-based detection features.”

AV vendor Avast said it implemented a fix for its products soon after Cybellum reported the issue to the company via its Bug Bounty program. Avast said in a statement that based on its evaluation of the things an attacker would first need to do to pull off a DoubleAgent type attack, Cybellum’s own emphasis on the risk posed by the exploits is "overstated." 

F-Secure, meanwhile said in a statement, contends that the flaw is not a zero-day: "Scenarios where an attacker has already compromised a machine and elevated themselves to admin are well-known in the cyber security industry. The described method, while an interesting academic exercise, was initially presented by Alex Ionescu at several conferences during 2015. It is thus not a zero-day attack," F-Secure said. F-Secure is working on a fix for affected products and will roll it out as soon as ready, the company said. [END OF UPDATE]

Microsoft declined a request for comment on DoubleAgent.

Meanwhile, Microsoft already provides a mechanism called Protected Processes that is designed to protect AV products against code-injection attacks such as DoubleAgent.

The Protected Processes infrastructure ensures that only trusted and digitally signed can run, so any attempt to inject a rogue verifier into an AV product would not work. But Microsoft’s own Windows Defender currently is the only tool to implement Protected Processes, although it has been available to third parties for more than three years.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/23/2017 | 1:42:35 AM
Thanks for sharing windows double agent attack turns av tools in to malware.it is nice
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.