New Attack Uses Microsoft’s Application Verifier to Hijack Antivirus Software

Share this…

A new technique named DoubleAgent, discovered by security researchers from Cybellum, allows an attacker to hijack security products and make them take malicious actions.

The DoubleAgent attack was uncovered after Cybellum researchers found a way to exploit Microsoft’s Application Verifier mechanism to load malicious code inside other applications.

DoubleAgent attack leverages Microsoft’s Application Verifier

The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check.

Cybellum researchers discovered that developers could load their own “verifier DLL” instead of the one provided by the official Microsoft Application Verifier.

Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he’d like injected into a legitimate process.

Several antivirus makers affected

Cybellum researchers say that most of today’s security products are susceptible to DoubleAgent attacks. The list of affected products includes:

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Quick Heal

“We have reported [DoubleAgent to] all the vendors more than 90 days ago, and worked with [a] few of them since,” Michael Engstler, Cybellum CTO, told Bleeping Computer in an email.

At the time of writing, “the only vendors that released a patch are Malwarebytes (version number: 3.0.6 Component Update 3), AVG (version number: 16.151.8007) and Trend-Micro (should release it soon),” Engstler added.

DoubleAgent morphs security products into malware

The DoubleAgent attack is extremely dangerous, as it hijacks the security product, effectively disabling it. Depending on an attacker’s skill level, he could use the DoubleAgent flaw to load malicious code that:

  • Turns the security product off
  • Makes the security product blind to certain malware/attacks
  • Uses the security product as a proxy to launch attacks on the local computer/network
  • Elevates the user privilege level of all malicious code (security products typically run with the highest privileges)
  • Use the security product to hide malicious traffic or exfiltrate data
  • Damage the OS or the computer
  • Cause a Denial of Service

By design, the DoubleAgent attack is both a code injection technique and a persistence mechanism, as it allows an attacker to re-inject the malicious DLL inside a targeted process after each boot, thanks to the registry key.

DoubleAgent attack affects all software

Even if the Cybellum team has focused their research on antivirus software, don’t think as DoubleAgent as a threat to security products alone.

The vulnerability behind DoubleAgent, and especially its ability to inject code into any process, makes it a threat to any application, even the Windows OS itself.

Engstler, who found the flaw and has been working with security vendors to patch their products, says DoubleAgent is a universal threat.

“This technique can be used to hijack ANY application, even the applications of the operating system itself,” the expert told Bleeping Computer. “There is no need to alter our POC code in any way, you just execute it with the requested application name, and it would automatically attack it, no matter if it’s an antivirus or a different application.”

The proof-of-concept code he’s referring to is available on GitHub. Two blog posts detailing the attack, in general, and at a technical level, will be published tomorrow, March 22. The YouTube video below shows a DoubleAgent attack in action.

Cybellum recommends that security vendors use Microsoft’s Protected Processes mechanism, which the company introduced with Windows 8.1.

Protected Processes is a security system that Microsoft specifically designed for anti-malware services, and which works by wrapping around their processes and not permitting other apps to inject unsigned code.