DoubleAgent attack

[anarkii]

Hi people,
Just wanted to post this here as this could have the potential to really do some damage.

A new Zero-day attack has emerged that may endanger your antivirus (irony, much?). The new attack, termed DoubleAgent, has the ability to control your antivirus using a Microsoft technology called Application Verifier, and a 15-year old Windows XP era vulnerability.

The hacker may use the Application Verifier, which is a runtime verification tool, in order to discover and fix bugs in applications. He can then inject his own custom verifier into any particular application, in this case, an antivirus. This undocumented ability of the application may allow the attacker to have complete control over the program , which enables him or her to wreak havoc on your system.

The cyber-security research team explains:

Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.
The POC code was tested on the following vendors:

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Comodo
ESET
F-Secure
Kaspersky
Malwarebytes
McAfee
Panda
Quick Heal
Norton
What makes DoubleAgent worse than other attacks is that in most hacks, the attacker needs to work a little harder to avoid the antivirus. An attack from something like this gives them the freedom to do as they please, without fear of interference. In essence, there would be no obstacle to stop them fromdestabilizing your system.

Usage cases for DoubleAgent coud be:

Turning the Antivirus into malware
Modifying the Antivirus' internal behavior
Abusing the Antivirus' trusted nature
Destroying the machine
Denial of Service
Additionally, the hacker could run persistence mechanisms on your system, which allows for a permanent presence on that system, even after reboots, updates, reinstalls, patches, etc. Another possibility is the use of a Generic Code Injection Technique to insert malicious code into legitimate processes.

Microsoft has provided vendors with Protected Processes to mitigate code injection attacks by only allowing trusted, signed code to load. No antivirus other than Windows Defender has implemented this design, even though it has been available for three years.

Your best bet right now would be to use Windows Defender, and at least one former Mozilla engineer recommends it.

Could Avast, and other AV products please use that protected process in a update to combat this? Makes me worried that my, and other systems could fall victim to this code.

Source - http://cybellum.com/doubleagent-taking-full-control-antivirus/

[Pondus]

Already posted

https://forum.avast.com/index.php?topic=199290.0

[Alikhan]

Only Avast 12.3 (and older) version is vulnerable.

Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)

Assuming you're using version 17, you are not affected.

[REDACTED]

I wonder if this is what happened to me today. (See my new post for details.) I'm not sure what version i was using, but i usually update when prompted. Havoc occurred after installing the update. How do I test if this was the cause? And What can i do about it?

[DavidR]

I wonder if this is what happened to me today. (See my new post for details.) I'm not sure what version i was using, but i usually update when prompted. Havoc occurred after installing the update. How do I test if this was the cause? And What can i do about it?

Given the quoted text in the first post (and the link in Reply #1) I rather doubt it was that, or you would have some very serious issues.

Also if you have avast 17.x.x then that isn't vulnerable according to other topics.

[TrueIndian]

Rajni this issue was fixed long ago and is not a problem if you are using the latest version of avast!