Vulnerability Dubbed “DoubleAgent” Targets Antivirus

Zero day in the form of binary code, 3D illustration

A zero-day vulnerability that affects all versions of Windows OS and many antivirus programs puts billions at risk of an attack.

Security researchers from an Israel-based zero-day prevention firm called Cybellum has reported the discovery of a critical Windows OS vulnerability that could be used as a gateway by hackers to take full control of any system.

The DoubleAgent injecting code vulnerability, as it has been named, can be used on any version of Windows Operating Systems (Windows XP to Windows 10), every windows architecture (x64, x86), and every user on the computer (Admin, SYSTEM).

And although Cybellum has only focused on how the 15-year-old zero-day vulnerability can be exploited to take over antivirus software on any computer, the DoubleAgent exploit could be used to take over the process on a computer, including privileged processes such as the antivirus software and the Operating System itself.

The unpatchable feature is called the “Application Verifier,” a runtime verification tool that is used to load DLL (dynamic link library) files into processes.

Its original purpose was to allow developers to test and identify programming errors in applications in order to fix the vulnerability quickly and remotely.

Now, this apparently unpatchable runtime exploit is a vulnerability that can let in hackers to disperse malware and ransomware into a computer remotely.

How the Application Verifier Runtime Verification Tool can be exploited

Although DLLs are usually linked by the Windows Registry entry to their target processes, attackers can just as easily replace a specific DLL with a malicious one.

The key vulnerability lies in how this runtime verification tool handles specific DLLs.

Once a hacker successfully creates a Windows Registry key with a name that corresponds to the application he wants to take over, the remaining step is to provide a custom-made verifier DLL which he can then inject into any application’s legitimate processes to gain full control over it.

After the injection of the custom DLLs, which is undoubtedly the crucial step in this attack, the hacker now has unmitigated access and control of the entire system.

The malicious DLLs can be used to install persistent malware, backdoors, taking over the permissions of trusted processes, or even hijack the sessions of other users in the same system.

According to researchers from the zero-day prevention firm, the injection of the code is perpetrated early into the target system’s boot process.

This gives it no time to protect itself, thereby granting the attacker full control over the specific process.

DoubleAgent Vulnerability can be exploited to Take Full Control of Antivirus

Cybellum has only focused on how the 15-year-old zero-day vulnerability can be exploited to take over antivirus software on any computer

Cybellum has only focused on how the 15-year-old zero-day vulnerability can be exploited to take over antivirus software on any computer

The researchers from Cybellum demonstrated in a YouTube video how the DoubleAgent vulnerability can be used to hijack various antivirus applications.

Their technique involved turning what is considered any system’s main defense into malware or a gateway for malware distribution throughout the entire system.

Not only was the antivirus application completely corrupted using this vulnerability; it was also turned into a disk-encrypting ransomware.

This vulnerability is especially difficult to mitigate because the malicious code can simply be re-introduced to a system’s legitimate processes once it reboots.

This is facilitated by the hacker’s persistent registry key.

The fact that it works on all Windows OS versions is a major cause for concern, but the more chilling fact is that most of the reputable security products in the market today, including big names such as Kaspersky and Avast, can also be compromised using this vulnerability.

The DoubleAgent vulnerability gives hackers the luxury of either turning the security product into malware itself, making it incapable of detecting malware and attacks, using it to launch attacks to other computers using the same network, giving malicious codes elevated user privileges in order to make them more lethal, hiding any exfiltrate data traffic, instigating a Denial of Service attack, or damaging the operating system itself.

Many of the Affected Antiviruses Remain Unpatched 90 Days after Responsible Disclosure

Of all the affected security products, only two have provided suitable patches to the problem (AVG and Malwarebytes), while a third (Trend-Micro) will soon release an update to take care of the vulnerability.

There also exists a simpler and more thorough fix for this vulnerability according to the researchers, and it involves switching from the dated “Application Verifier” architecture to the new “Protected Processes” architecture.

The proof-of-concept was posted on Cybellum’s GitHub and accompanied by a comprehensive blog post on their website detailing exactly how the vulnerability can be used against all Microsoft Windows operating system users.

Leave a Reply