Cybellum research team has discovered a new Zero-Day attack technique that allows hackers to gain control over victim’s computer via hijacking antivirus software running on the PC.
The attack was named DoubleAgent and it exploits old Microsoft Application Verifier vulnerability to inject malicious code into antivirus or antimalware, turning it into into a malicious agent.
Microsoft Application Verifier tool is designed to detect and fix minor problems and critical security flaws, and it comes as a component of all Windows OS versions. Developers can test their applications by uploading Microsoft Application Verifier DLL-library into the application. As the Cybellum experts explain, attackers can use this utility to set up a malicious DLL-library and turn any next-generation antivirus software into a malicious program. Further, your antivirus will be used to silently gain control over your computer instead of protecting it from security threats.
The DoubleAgent attack is extremely dangerous, as it can be used to hijack and abuse any security product. By exploiting the DoubleAgent mechanism, an attacker can disable the antivirus, make it not responding to certain types of malware, use the antivirus solution as a proxy for attacks on the local network, encrypt your files, cause denial of service or even format your hard drives.
Vulnerable Antivirus Tools:
- Avast (CVE-2017-5567)
- Bitdefender (CVE-2017-6186)
- Trend Micro (CVE-2017-5565)
- AVG (CVE-2017-5566)
- Avira (CVE-2017-6417)
- Quick Heal
The Cybellum researchers have already informed the developers of these anti-malware products about this problem. Currently, only Malwarebytes and AVG companies have released patches that fix this vulnerability. Trend Micro experts are working on the appropriate patch.