Your antivirus software might come with some annoyances. It might slow your computer down, or pop up so many alerts that you can’t tell when something is actually wrong. But researchers have discovered a more sinister downside: A well-intentioned debugging tool found in many versions of Microsoft Windows can be used maliciously to gain access to vulnerable antivirus programs, and weaponize them.
Discovered by researchers at the Israeli cybersecurity defense firm Cybellum, the so-called “DoubleAgent attack” takes advantage of the Microsoft Application Verifier, a tool used for strengthening security in third-party Windows applications, to inject customized code into programs. The approach could potentially manipulate any software target, but antivirus programs would be particularly appealing to an attacker since they have such extensive system privileges for scanning.
“You’re installing antivirus to protect you, but actually you’re opening a new attack vector into your computer,” says Slava Bronfman, the CEO of Cybellum. “Hackers usually try to run away from AV and hide from it, but now instead of running away they can directly attack the AV. And once they control it they don’t even need to uninstall it, they can just quietly keep it running.”
As the attack unfolds, it allows malicious code to become persistent, since it entered through the legitimate Application Verifier tool. The researchers say that even measures like a system reboot won’t eliminate a DoubleAgent attack. And once hackers control the antivirus program they can manipulate it to execute all sorts of attacks, from passive surveillance to encrypting and ransoming off data, because of the inherent trust operating systems place in antivirus programs.
“Once we discovered this attack we tried to understand which impact it has and which limitations, and we quickly understood that it has none,” says Cybellum chief technology officer Michael Engstler. “You can actually use it to inject any process, so once we understood that we understood that there was a major problem here.”
The researchers notified the developers of 14 vulnerable antivirus programs (Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton) and say they waited 90 days before publicly disclosing the bug. So far only Malwarebytes, AVG, and Trend Micro have released a patch. There isn't particular evidence so far that the vulnerability has ever been exploited, but it’s impossible to know for sure, especially since Windows has included the Application Verifier since the XP days.
"It doesn’t seem like they’re working so hard to solve this problem," Engstler says. "I’m sure now with all the publicity things will get faster and that’s one of the motivations of publishing this, but until now it seems a little bit slower than what we thought."
The vulnerability is dangerous in itself, but also speaks to larger concerns aboutthe role of antivirus and the incidental insecurity it can introduce into a system.
“Personally I have stopped using antivirus products, I don’t remember the last time I had it in my primary PC,” says Mohammad Mannan, a security researcher at Concordia University in Montreal who has studied antivirus vulnerabilities. “All software has bugs, but if something goes wrong with antivirus products the fallout can be very significant as in this case [with DoubleAgent]. Antivirus products generally run with a lot of privileges in the system, so if that can be compromised you get basically full access.”
Microsoft released a security-minded architecture for antivirus three years ago, called Protected Processes, that successfully protects users against Double Agent. The researchers only found one antivirus program that had implemented Protected Process---Microsoft's own Windows Defender.
Update March 23, 2017 5:30 pm: Four of the named antivirus vendors contacted WIRED with statements about DoubleAgent. Both Kaspersky Lab and Avast say they have patched the bug. Comodo says that its antivirus's default protections already negated the attack. Symantec says that its Norton Security products were not vulnerable, but adds that it has "developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."
