DoubleAgent makes your Windows antivirus act as malware

jayar.decenella@gmail.com' By: Jay Decenella
2 minute read

Security researchers have found that attackers can use Microsoft’s Application Verifier tool to take over various antivirus products. Israel-based security firm Cybellum claims that a new attack method dubbed DoubleAgent takes advantage of Windows tools created to prevent virus attacks – including McAfee, Panda, Avast, AVG, Avira, F-Secure, Kaspersky, Malwarebytes, Bitdefender, Trend Micro, Comodo, and ESET – and have them act as malware.

Cybellum says the DoubleAgent attack is also capable of compromising other antivirus products. The method works by manipulating the Microsoft Application Verifier, a runtime verification system that functions to detect bugs and boost the security of third-party Windows programs. The tool is included in Windows XP through to Windows 10.

How DoubleAgent works

Cybellum explained the way DoubleAgent works:

Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application. Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations.

The problem doesn’t lie within Windows but rather in the security vendors who offer the antivirus products. Cybellum claims DoubleAgent can be used to attack organizations that use the susceptible antivirus programs. Malwarebytes, AVG, and Trend Micro are some of the vendors that fixed the issue for their respective products. Windows Defender seems to be the only antivirus product that’s immune to DoubleAgent due to its use of a Windows mechanism called Protected Processes. The mechanism secures anti-malware services that run in user mode.

Mitigation

Microsoft offers Protected Processes as a way to allow trusted, signed code load. Therefore, attackers cannot use DoubleAgent against the antivirus even if an attacker finds a new zero-day technique as its code. A proof-of-concept attack code is now available on GitHub, courtesy of Cybellum.

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Discussions

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading