‘Double Agent’ Exploits Windows Zero Day

Friday, March 24, 2017 @ 11:03 AM gHale


There is a new Zero Day code injection and persistence technique that can end up leveraged to take over Windows systems.

“DoubleAgent exploits a 15 year old vulnerability which works on all versions of Microsoft Windows, starting from Windows XP right up to the latest release of Windows 10,” researchers said.

RELATED STORIES
SANS: ‘Take Cyber Off the Table’
SANS: Know the Security Mission
ABB: Showing its Digital Ability
Oil and Gas Security ‘Not Keeping Pace’

To prove the attack, researchers from security provider Cybellum demonstrated it on antivirus solutions. The end result was it turned the antivirus security agent into a malicious agent. That is why they called the attack Double Agent.

“DoubleAgent exploits a legitimate tool of Windows called ‘Microsoft Application Verifier’ which is a tool included in all versions of Microsoft Windows and is used as a runtime verification tool in order to discover and fix bugs in applications,” researchers said in a blog post.

“Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations,” researchers said.

“Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application.”

The attack can also compromise applications.

“By using DoubleAgent, the attacker can take full control over the antivirus and do as he wish without the fear of being caught or blocked,” they said.

This includes:
1. Turning the antivirus into malware
2. Modifying the antivirus internal behavior
3. Abusing the antivirus trusted nature
4. Destroy the machine
5. Denial of Service

Cybellum researchers showed a video of a DoubleAgent code injection against Symantec Norton antivirus, and offered PoC exploit code on GitHub.

Click here for more technical details about the DoubleAgent technique.

The researchers have notified major antivirus vendors of their findings, and some have already issued a patch for the vulnerability. Trend Micro’s patch is also in the works. Among the still vulnerable antivirus apps are those by Avast, BitDefender, ESET, Kaspersky, and F-Secure.



Leave a Reply

You must be logged in to post a comment.