A team of security researchers from Cybellum, an Israeli zero-day prevention firm, has discovered a new Windows vulnerability that could allow hackers to take full control of your computer.
Dubbed DoubleAgent, the new injecting code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10.
What’s worse? DoubleAgent exploits a 15-years-old undocumented legitimate feature of Windows called “Application Verifier,” which cannot be patched.
Application Verifier is a runtime verification tool that loads DLLs (dynamic link library) into processes for testing purpose, allowing developers quickly detect and fix programming errors in their applications.
Unpatchable Microsoft Application Verifier Exploit
The vulnerability resides in how this Application Verifier tool handles DLLs. According to the researchers, as part of the process, DLLs are bound to the target processes in a Windows Registry entry, but attackers can replace the real DLL with a malicious one. Simply by creating a Windows Registry key with the name same as application he wants to hijack, an attacker can provide his own custom verifier DLL he would like to inject into a legitimate process of any application. Once the custom DLL has been injected, the attacker can take full control of the system and perform malicious actions, such as installing backdoors and persistent malware, hijacking the permissions of any existing trusted process, or even hijacking other users’ sessions.
“DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself.”
In order to demonstrate the DoubleAgent attack, the team hijacked anti-virus applications — which is the main defense on systems to prevent any malware from running — using their technique and turn them into malware. The team was able to corrupt the anti-virus app using the DoubleAgent attack and get the security software to act as disk-encrypting ransomware.
The attack works on every version of Windows OS from Windows XP to Windows 10 and is hard to block because the malicious code can be re-injected into the targeted legitimate process after the system reboots – Thanks to the persistent registry key.
The researchers said most of the today’s security products on the market are susceptible to the DoubleAgent attacks. Here’s the list of affected security products:
- Avast (CVE-2017-5567)
- AVG (CVE-2017-5566)
- Avira (CVE-2017-6417)
- Bitdefender (CVE-2017-6186)
- Trend Micro (CVE-2017-5565)
- Quick Heal
After hijacking the anti-virus software, attackers can also use the DoubleAgent attack to disable the security product, making it blind to malware and cyber attacks, using the security product as a proxy to launch attacks on the local computer or network, elevating the user privilege level of all malicious code, hiding malicious traffic or exfiltrate data, or damaging the OS or causing a denial of service.
Note: Cybellum researchers only focused on anti-virus programs, though the DoubleAgent attack could work with any application, even Windows operating system itself.
Many Antiviruses Still Unpatched Even After 90 Days Of Responsible Disclosure
Cybellum said the company had reported the DoubleAgent attack to all affected anti-virus vendors more than 90 days ago.
Cybellum researchers have been working with some anti-virus companies to patch the issue, but so far, only Malwarebytes and AVG have released a patch, while Trend-Micro has planned to release one soon, as well.
So, if you use any of the three apps mentioned above, you are strongly advised to update it as soon as possible.
As a mitigation, the researchers note that the simplest fix for antivirus vendors is to switch from Application Verifier to a newer architecture called Protected Processes.
Protected processes mechanism protects anti-malware services against such attacks by not allowing other apps from injecting unsigned code, but this mechanism has so far been implemented only in Windows Defender, which was introduced by Microsoft in Windows 8.1. Cybellum has also provided a video demonstration of the DoubleAgent attack, showing how they turned an antivirus app into a ransomware that encrypts files until you pay up.
The company also posted proof-of-concept (PoC) code on GitHub, and two blog posts, listed below detailing the DoubleAgent attack.
DoubleAgent: Taking Full Control Over Your Antivirus
DoubleAgent: Zero-Day Code Injection and Persistence Technique