Researchers have discovered a debugging tool in many versions of Windows Operating System which can be used to gain access to vulnerable antivirus programs and then weaponize for malicious purposes.
According to the researchers who discovered the flaw, Israeli cybersecurity firm Cybellum explained that the "DoubleAgent attack" takes advantage of the Microsoft Application verifier, a tool used for strengthening security in third party Windows applications to inject customized code into programs. An attacker can use this tool to manipulate potential programs, but antivirus programs would be of more advantage since they have administrative privileges on computer systems.
Also read: How to use your Android phone as a microphone
You are installing antivirus to protect you, but actually you 're opening a new attack vector into your computer," says Slava Bronfman, the CEO of Cybellum. "Hackers usually try to run away from AV and hide from it, but now instead of running away they can directly attack the AV. And once they control it they don;t even need to install it, they can just quietly keep it running."
The researchers said that once the attack begins, the malicious code would be persistent since the verifier tool accepted it. Once hackers are in control of the anti virus program, they can easily manipulate it to carry out all sorts of attacks from encrypting the user data and demanding for ransom or surveillance of the user. All these are possible due to the trust that the operating systems placed in these antivirus programs.
The researchers gave a list of 14 vulnerable antivirus program which they notified the programmers of the issue. The names are; Avast, Avira, Kaspersky, McAfree, Trend Micro, Comodo, ESET, Malwarebytes, AVG, Norton, F-Secure, Panda, Quick Heal and Bitdefender.
Also Read: Hackers infects Hotel Lock system with malware, Locks up hundreds of guests
Mohammed Mannan, a security researcher who studied antivirus vulnerabilities at Concordia University in Montreal doesn't agree using antivirus programs.
" Personally i have stopped using antivirus products, i don't remember the last time i had it in my PC," he said. "All software has bugs, but if something goes wrong with antivirus products the fallout can be very significant as in this case (with DoubleAgent). Antivirus products generally run with a lot of privileges in the system, so if that can be compromised you get basically full access."
So far, only Trend Micro, Malwarebytes and AVG have released a patch.
According to the researchers who discovered the flaw, Israeli cybersecurity firm Cybellum explained that the "DoubleAgent attack" takes advantage of the Microsoft Application verifier, a tool used for strengthening security in third party Windows applications to inject customized code into programs. An attacker can use this tool to manipulate potential programs, but antivirus programs would be of more advantage since they have administrative privileges on computer systems.
Also read: How to use your Android phone as a microphone
You are installing antivirus to protect you, but actually you 're opening a new attack vector into your computer," says Slava Bronfman, the CEO of Cybellum. "Hackers usually try to run away from AV and hide from it, but now instead of running away they can directly attack the AV. And once they control it they don;t even need to install it, they can just quietly keep it running."
The researchers said that once the attack begins, the malicious code would be persistent since the verifier tool accepted it. Once hackers are in control of the anti virus program, they can easily manipulate it to carry out all sorts of attacks from encrypting the user data and demanding for ransom or surveillance of the user. All these are possible due to the trust that the operating systems placed in these antivirus programs.
The researchers gave a list of 14 vulnerable antivirus program which they notified the programmers of the issue. The names are; Avast, Avira, Kaspersky, McAfree, Trend Micro, Comodo, ESET, Malwarebytes, AVG, Norton, F-Secure, Panda, Quick Heal and Bitdefender.
Also Read: Hackers infects Hotel Lock system with malware, Locks up hundreds of guests
Mohammed Mannan, a security researcher who studied antivirus vulnerabilities at Concordia University in Montreal doesn't agree using antivirus programs.
" Personally i have stopped using antivirus products, i don't remember the last time i had it in my PC," he said. "All software has bugs, but if something goes wrong with antivirus products the fallout can be very significant as in this case (with DoubleAgent). Antivirus products generally run with a lot of privileges in the system, so if that can be compromised you get basically full access."
So far, only Trend Micro, Malwarebytes and AVG have released a patch.