Many antivirus software can be loud, annoying and slow your computer down, as well as block harmless content while trying to protect your system. Worse than all of this, as researchers have recently discovered, is a flawed debugging tool found in some versions of Microsoft Windows that can be exploited in a way that allows access to antivirus programs. The antivirus can then be turned into a weapon against you.
Microsoft Application Verifier, a tool used for strengthening security in some of the Windows applications, can be manipulated by a new, so-called “DoubleAgent attack“, that injects customized code into programs. This approach was discovered by researchers at the Israeli cyber security defense firm called Cybellum. The researchers warned that any software could be targeted, but antivirus programs are especially at risk since they have the biggest system privileges when it comes to scanning.
The CEO of Cybellum said that hackers usually try to run and hide from antivirus programs, but by using this method, they could openly attack it and take control.
AV controlled by a hacker can then allow more Malware to slip in and infect the system, which can lead to encrypting or stealing data, passive surveillance and similar privacy breaches.
Experts say that even measures like a system reboot won’t eliminate the attack. Cybellum chief technology officer Michael Engstler even said that while studying it, they discovered no limitations concerning the impact or the ability to infect and that this is a serious problem.
The developers of 14 vulnerable antivirus programs (Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton) were notified of this problem, but only 3 of them (Trend Micro, Malwarebytes, and AVG) have released a patch so far. Even without the evidence of this vulnerability being exploited, researchers say that it’s impossible to know for sure since Application Verifier has been included in Windows since the XP.
Engstler expressed his concern about the slow progress at solving the problem and hopes of speeding up the process now that this information was made public.
This approach shed new light on the problems and insecurity that an antivirus can pose to the system that it watches over. Mohammad Mannan, a security researcher at Concordia University in Montreal, has admitted that all software has bugs, and said that “If something goes wrong with antivirus products, the fallout can be very significant, as in this case.”
Protected Processes, a security-minded architecture for antivirus was released by Microsoft three years ago, and the researchers stated that it can successfully protect users from Double Agent attacks. Interestingly, the only antivirus program that had implemented Protected Process is Windows Defender itself.