Security researchers have found that attackers can use Microsoft’s Application Verifier tool to take over various antivirus products. Israel-based security firm Cybellum claims that a new attack method dubbed DoubleAgent takes advantage of Windows tools created to prevent virus attacks – including McAfee, Panda, Avast, AVG, Avira, F-Secure, Kaspersky, Malwarebytes, Bitdefender, Trend Micro, Comodo, and ESET – and have them act as malware.
Cybellum says the DoubleAgent attack is also capable of compromising other antivirus products. The method works by manipulating the Microsoft Application Verifier, a runtime verification system that functions to detect bugs and boost the security of third-party Windows programs. The tool is included in Windows XP through to Windows 10.
How DoubleAgent works
Cybellum explained the way DoubleAgent works:
Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application. Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations.
The problem doesn’t lie within Windows but rather in the security vendors who offer the antivirus products. Cybellum claims DoubleAgent can be used to attack organizations that use the susceptible antivirus programs. Malwarebytes, AVG, and Trend Micro are some of the vendors that fixed the issue for their respective products. Windows Defender seems to be the only antivirus product that’s immune to DoubleAgent due to its use of a Windows mechanism called Protected Processes. The mechanism secures anti-malware services that run in user mode.
Microsoft offers Protected Processes as a way to allow trusted, signed code load. Therefore, attackers cannot use DoubleAgent against the antivirus even if an attacker finds a new zero-day technique as its code. A proof-of-concept attack code is now available on GitHub, courtesy of Cybellum.