Hijacking Antivirus Software

Tuesday, November 14, 2017 @ 10:11 AM gHale


When installing some third-party antivirus, users need to be aware those solutions are not bullet proof.

That is because there are some antivirus programs with vulnerabilities that can allow attackers to leverage the restore from quarantine option and infect a target machine.

RELATED STORIES
Anonymity Becomes Visible in Tor Browser
Firefox to Block Browser Fingerprinting
Chrome Extension can ‘Catch All’
Curbing Extended Browser Functionality

The vulnerability is in the engine of several antivirus products, and as security researcher Florian Bogner said in a post, it makes it possible for attackers to simply move a quarantined file infected with malware to a sensitive location on the local drives where it can wreak havoc.

He showed how a phishing attack was blocked by the antivirus software when the sample of malware was detected. With the file moved to quarantine, the vulnerability that he called AVGater allowed the attacker to obtain unprivileged access to content flagged as infected.

By hijacking Windows services like NTFS direction junctions and Dynamic Link Library Search Order, Bogner was able to transfer an infected file from the quarantine to a sensitive location on the hard drive.

Bogner said large antivirus vendors suffer from the vulnerability, and some have already released patches, including Trend Micro, Emsisoft, Malwarebytes, Kaspersky, and ZoneAlarm. Others will follow soon.

The good news is AVGater is not remotely exploitable. However, a successful attack can lead to an attacker gaining full control over the system, Bogner said.



Leave a Reply

You must be logged in to post a comment.