Windows 10: DoubleAgent zero-day hijacks Microsoft tool to turn antivirus into malware

Microsoft's Application Verifier tool can be used by attackers to grab control of antivirus software, researchers say.
Written by Liam Tung, Contributing Writer

Cybellum says DoubleAgent is a zero-day attack that hijacks antivirus software and uses it to inject malware.

Image: Cybellum/YouTube

Security researchers have discovered a new attack called DoubleAgent that uses a Windows bug-fixing tool to turn antivirus into malware.

The DoubleAgent attack is detailed by Israel-based security firm Cybellum, which claims to have confirmed it can compromise products by Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton. The company says other antivirus products are also likely to be vulnerable.

The attack relies on Microsoft Application Verifier, a runtime verification tool used to discover bugs and improve the security of third-party Windows applications. The tool ships with Windows XP through to Windows 10.

"Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier," writes Cybellum.

"An attacker can use this ability to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application. "

The issue doesn't lie with Microsoft, but rather with antivirus vendors and could be used to attack organizations that use affected antivirus products.

The issue actually can affect all software products but Cybellum has focused on antivirus software since these products run with high privileges and are considered trusted.

Hence, if antivirus software is hijacked, it would bypass other security products used by an organization, the company warns.

In a separate write-up, Cybellum co-founder and chief technology officer Michael Engstler explains that DoubleAgent allows the attacker to inject any dynamic link library into any process. The attack will survive a reboot, as well as attempts to uninstall and reinstall the program.

So far, security vendors that have patched the issue include Malwarebytes, AVG, and Trend Micro, Engstler told Bleeping Computer. He also noted that all software is vulnerable to the attack, but highlighted antivirus due to its position as a key defense against malware.

However, Norton Security told ZDNet that after investigating this issue it can confirm that this proof of concept does not exploit a product vulnerability in its antivirus products.

"It is an attempt to bypass an installed security product and would require physical access to the machine and admin privileges to be successful," a Norton spokesman said, adding that it has deployed additional detection and blocking protections in the unlikely event users are targeted.

Kaspersky Lab told ZDNet that measures to detect and block the malicious scenario have now been added to all its products. It recommends that customers keep their security solutions up to date and "do not disable behavior-based detection features".

Avast CTO Ondrej Vlcek said Cybellum alerted his firm last year to the exploit, which Avast addressed at the time, so its products are not vulnerable.

"It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself," he said.

"Therefore, we rate the severity of this issue as 'low' and Cybellum's emphasis on the risk of this exploit to be overstated."

According to Cybellum, the only antivirus product shielded from Double Agent is Windows Defender. That's because it alone uses a Windows mechanism called Protected Processes, a protection in the kernel designed specifically to protect anti-malware services running in user mode. Microsoft introduced this feature in Windows 8.1, but clearly no security vendors have adopted the technology.

As Microsoft explains, most anti-malware products have a user-mode service, which is often used to download new virus definitions and updates.

While third-party developers can employ some techniques to protect these update services from attack, they're not foolproof. Protected Processes ensures user-mode services only allow trusted code to load and shields them from attacks launched from admin services.

Cybellum has posted proof-of-concept attack code on GitHub as well as a video on YouTube demonstrating the attack.

Read more about anti-malware

Editorial standards