Posted on Wednesday, March 22 2017 @ 15:11 CET by Thomas De MaesschalckIronically, an undocumented feature of this tool enables an attacker to replace the standard verifier with his own custom code, allowing the injection of any dynamic link library into any process.
Cybellum illustrates the "DoubleAgent" attack by showing how they can inject code into Norton's antivirus tool. The firm also confirms security software from AVAST, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, and Quick Heal is all vulnerable to the attack.
It doesn't necessarily have to be an AV tool but the company picked these examples because they're high-profile targets as malware typically invests a lot of effort to hide from AV. DoubleAgent on the other hand can take full control over the antivirus tool and do as it pleases.
DoubleAgent exploits a 15 year old vulnerability which works on all versions of Microsoft Windows, starting from Windows XP right up to the latest release of Windows 10. The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organization that uses an antivirus. Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.Full details at Cybellum.
The attack has been tested and proven on all the major antiviruses as well as of all versions of Microsoft Windows. The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch.
