New Zero-Day vulnerability can inject custom verifier into antivirus code.
As if tech users and IT departments didn’t have enough to worry about, a new form of Windows-based attack has been uncovered. Researchers at Cybellum discovered the Zero-Day attack that they’re calling DoubleAgent due to its mechanism of exploiting the Microsoft Application Verifier. The main target – though certainly not the only one – is anti-virus software, as it can be manipulated to allow threats to pass through.
Once the attacker injects a custom verifier into the AV code, they basically controls the functionality of the software. Even worse, they can create a Windows Registry key which will continue to accept his custom verifier every single time the user reboots.
This is a powerful departure from the usual method of attack. Typically, a hacker wants to spend as much time and energy as possible getting around the antivirus and anti-malware protocols, but DoubleAgent attacks allow him to simply change the AV and do whatever he pleases. Not just limited to functions like changing the whitelist or letting a company’s AV software perform functions that would otherwise attract attention, he can even turn the existing installed AV software into malicious software that suits his purposes. Worse still, it’s possible to inject a verifier into the AV code that would turn it into a blockage, effectively starting a denial of service (DDoS) attack that spreads across a company’s entire network, shutting the whole thing down.
Unfortunately, at this time the jury is still out on what top-selling antivirus titles have issued patches that prevent the vulnerability. Some reports have been hotly contested, only to be proven false by researchers. In the meantime, Microsoft is developing a tool specifically for antivirus vendors to protect against this type of attack.