DoubleAgent - does it really turn AV into malware?

03/30/2017
G DATA Blog

A company offering protection against Zero-day exploits, exposes a vulnerability in Windows, which allegedly allows attackers to turn AV-products into malware. A lot of uncertainty has been created. On closer inspection, there is no reason to panic.

There has been a discussion about an alleged vulnerability, which allows an attacker to turn anti-virus software into malware. Just like spies which have been "turned", as seen in old movies, the double agent is now working against his former conviction. The picture painted here is puzzling and frightening - but it is also incomplete.

What is the "attack" about?

Microsoft Windows offers software developers a possibility to find errors in their own code, using theApplication Verifier. Unlike with a debugger this is accomplished by injecting a program library (DLL) with special search and reporting functionality into the process of the scrutinized software. A not officially documented, but definitely known feature of Application Verifier allows developers to replace the original Verifier with modified versions. This permits the injection of arbitrary code into any application. And any really means any. It is exemplified with anti-virus software. Fourteen different vendors are listed and accused to be vulnerable. They have been informed about the vulnerability 90 days in advance of the publication. Several dozens of vendors - including G DATA - were not informed. 

How dangerous is this in reality?

Assessing the real risk of a threat depends on multiple factors:

How widespread is the vulnerability?|Very widespread; it is a standard tool
How easy is it to exploit?|Requires admin privileges
What is the benefit?|Very little, because you are admin before & after

 

Such a vulnerability only becomes a real danger when it is exploited by malware. If security researchers publish new vulnerabilities in a responsible way, then at this time there is usually no risk. Malware authors need to analyse it and create their own exploit code. Sometimes this only takes a few days (or hours). In most cases this never happens. But this is different here. 

In 2015 Microsoft reported about a Trojan Horse called Bampeass.C  which abuses Application Verifier to bypass User Account Control (UAC). This definitely did not turn into a trend. Quite the contrary, malware samples which use Application Verifier for DLL-Hijacking are exotic rarities. i.e. at this moment no-one needs to worry. The panic that has been caused by the stir in the press is unfounded.

The devil is in the detail

Double agent is often called a Zero-day exploit. The usage of this term is inappropriate. In strict terms it is not even a vulnerability. A system function is abused and after all it is about malware registering for autostart via the Windows Registry. The injection into the target process is delivered as a free bonus. Kudos go to Jürgen Schmidt who pointed this out on Heise (source in German).

As mentioned above, the described vulnerability is not even new. It was described at  Virus Bulletin in 2011 already. Even Microsoft blogged about it in 2012. Alex Ionescu is also not amused about the aspiring Israeli IT-security company presenting material from a talk he had given in Tel Aviv two years ago and passing it off as "new findings".

The article also remains silent about the prerequisites of the attack. In order to create the registry needed for the hack admin privileges are required. With those permissions acquired, an attacker can perform all the activities he wants and that are described in the article: exfiltrate files, communicate with a C2 server, destroy machines, overload services etc.. If an attacker has admin privileges already, why should he care about bothering with AV-software? All the bad things mentioned in the article can be realized without messing with AV-software. The suspicion arises that the current trend towards generalized AV vendor bashing is utilized by clever marketing people.

Are G DATA customers affected?

To make it quite plain: This vulnerabilty is currently not dangerous. We will report about it here in case this changes. 

Since we have only learned about this through the press, we are still running analyses whether we are really affected and will of course do anything necessary to close the gap. In addition we have added rule sets to our protection that we have identified as a prerequisite for this attack. We are confident that we will detect malware that is treading this path. 

Forecast - much ado about nothing

t is unlikely that the vulnerability called DoubleAgent will actually exploit AV-software. As it requires admin privileges, it could immediately start its malicious activities. There is no need to mess around with other software (including AV). The media hype might have promoted this way of DLL injection. We will see, and we are prepared.

Brief summary

  • DoubleAgent is no danger. Many reports in the media create a wrong impression.
  • AntiVirus software can take protect itself
  • The demonstrated attack on AV software is completely pointless for real attacks.
  • It created abundant publicity. From a technical perspective, it missed the point.