DoubleAgent Zero-Day Turns Major AV Programs into Malicious Agents

Nowadays, having an antivirus program is not enough to be secure, as it turns out. A new research by security company Cybellum has unearthed a serious zero-day vulnerability that enables attackers to take control of antivirus programs installed on a Windows system. According to the researchers, the flaw is present in all existing Windows versions, starting with Windows XP all the way up to Windows 10 most recent build.

Cybellum says the zero-day can take “full control over major antiviruses and next-generation antiviruses”, adding that “instead of hiding and running away from the antivirus, attackers can now directly assault and hijack control over the antivirus”.

Related: CVE-2016-7855 Flash Bug Exploited in Limited Attacks

The attack is initiated when malicious actors inject code into the AV program, thus exploiting the zero-day in question. The vulnerability and the attack it triggers have been dubbed DoubleAgent, because it turns the user’s AV security agent into a malicious agent, researchers explain. DoubleAgent literally gives the illusion that the AV in place protects the system while actually it’s been abused by malicious elements.

The attack takes advantage of a 15-year-old vulnerability. The worst part is that it’s yet to be patched by most of the affected AV vendors, meaning that it could be deployed in attacks in the wild against both individuals and organizations.

Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.

According to Cybellum researchers, a prevalent number of major AV solutions are affected, such as Avast, AVG, Avira, Bitdefender, TrendMicro, Comodo, ESET, Kaspersky, F-Secure, Malwarebytes, McAffee, Panda, Norton, Quick Heal.
The vulnerability has already been identified in some AV:

  • Avast – CVE-2017-5567
  • AVG – CVE-2017-5566
  • Avira – CVE-2017-6417
  • Bitdefender – CVE-2017-6186
  • TrendMicro – CVE-2017-5565

How Does DoubleAgent Exploit Work?

The flaw exploits a legitimate tool offered by Microsoft in Windows and called “Microsoft Application Verifier”, which is designed to help developers locate bugs in their apps. The tool can be compromised to take the place of the standard verifier with a custom one, meant to assist the attacker in hijacking the app.

The company has already been in contact with the affected AV vendors. Unfortunately, only two of the companies have released a patch (Malwarebytes and AVG).

Related: CVE-2017-3881 Affects More than 300 Cisco Switches

Sadly, DoubleAgent’s capability to inject code even after a system reboot makes it very difficult to remove.

Once a persistence technique is well-known, security products update their signatures accordingly. So once the persistence is known, it can be detected and mitigated by the security products.Being a new persistence technique, DoubleAgent bypasses AV, NGAV and other endpoint solutions, and giving an attacker ability to perform his attack undetected with no time limit.

Further technical details are available in Cybellum’s blog post.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.