DoubleAgent - Can hijack your Windows as well as your Antivirus

What this article includes :

Here is an overview of the knowledge this article will provide you.

• About DoubleAgent
• About Cybellum
• About Application Verifier in Windows
• About Protected Processes
• Source Code of the DoubleAgent Tool
• Proof about its working
• How this works?
• What can be done using this tool?
• List of Hacked Antiviruses
• And a lot more..

Overview :

Are you using Windows OS on your PC..! Then you are at risk. A team of security researchers from Cybellum, an Israeli zero-day prevention firm, has discovered a new Windows vulnerability that could allow hackers to take full control of your computer.

Dubbed DoubleAgent, the new injecting code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10.

What's worse? DoubleAgent exploits a 15-years-old undocumented legitimate feature of Windows called "Application Verifier," which cannot be patched.

Application Verifier is a runtime verification tool that loads DLLs (dynamic link library) into processes for testing purpose, allowing developers quickly detect and fix programming errors in their applications.

" Our research team has uncovered a new Zero-Day attack for taking full control over major antiviruses and next-generation antiviruses. Instead of hiding and running away from the antivirus, attackers can now directly assault and hijack control over the antivirus ", said Cybellum.

The attack begins when the attacker injects code into the antivirus by exploiting a new Zero-Day vulnerability. Once inside, the attacker can fully control the antivirus. They named this attack DoubleAgent, as it turns your antivirus security agent into a malicious agent, giving an illusion that the antivirus protects you while actually it is abused in order to attack you.

How does DoubleAgent work?

We know that to hack any system, there should lie a vulnerability in it. Here, he vulnerability resides in how this Application Verifier tool handles DLLs. According to the researchers, as part of the process, DLLs are bound to the target processes in a Windows Registry entry, but attackers can replace the real DLL with a malicious one.

Simply by creating a Windows Registry key with the name same as application he wants to hijack, an attacker can provide his own custom verifier DLL he would like to inject into a legitimate process of any application.

Once the custom DLL has been injected, the attacker can take full control of the system and perform malicious actions, such as installing backdoors and persistent malware, hijacking the permissions of any existing trusted process, or even hijacking other users’ sessions.

Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations.

Here is what Cybellum Researchers say about this attack to get worked :

"DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself."

Using DoubleAgent to get Full Control of Anti-Virus :

In order to demonstrate the DoubleAgent attack, the team hijacked anti-virus applications -- which is the main defense on systems to prevent any malware from running -- using their technique and turn them into malware.

The team was able to corrupt the anti-virus app using the DoubleAgent attack and get the security software to act as disk-encrypting ransomware.

The attack works on every version of Windows OS from Windows XP to Windows 10 and is hard to block because the malicious code can be re-injected into the targeted legitimate process after the system reboots – Thanks to the persistent registry key.

Vulnerable Antiviruses :

The researchers said most of the today's security products on the market are susceptible to the DoubleAgent attacks. Here's the list of affected security products :

• Avast (CVE-2017-5567)
• AVG (CVE-2017-5566)
• Avira (CVE-2017-6417)
• Bitdefender (CVE-2017-6186)
• Trend Micro (CVE-2017-5565)
• Comodo
• ESET
• F-Secure
• Kaspersky
• Malwarebytes
• McAfee
• Panda
• Quick Heal
• Norton

After hijacking the anti-virus software, attackers can also use the DoubleAgent attack to disable the security product, making it blind to malware and cyber attacks, using the security product as a proxy to launch attacks on the local computer or network, elevating the user privilege level of all malicious code, hiding malicious traffic or exfiltrate data, or damaging the OS or causing a denial of service.

Note: Cybellum researchers only focused on anti-virus programs, though the DoubleAgent attack could work with any application, even Windows operating system itself.

Many Antivirus are still unpatched even after 90 days of Disclousre

Cybellum said the company had reported the DoubleAgent attack to all affected anti-virus vendors more than 90 days ago.

Cybellum researchers have been working with some anti-virus companies to patch the issue, but so far, only Malwarebytes and AVG have released a patch, while Trend-Micro has planned to release one soon, as well. So, if you use any of the three apps mentioned above, you are strongly advised to update it as soon as possible.

As a mitigation, the researchers note that the simplest fix for antivirus vendors is to switch from Application Verifier to a newer architecture called Protected Processes.

Protected processes mechanism protects anti-malware services against such attacks by not allowing other apps from injecting unsigned code, but this mechanism has so far been implemented only in Windows Defender, which was introduced by Microsoft in Windows 8.1.

Cybellum has also provided a video demonstration of the DoubleAgent attack, showing how they turned an antivirus app into a ransomware that encrypts files until you pay up.

The company also posted proof-of-concept (PoC) code on GitHub, and two blog posts detailing the DoubleAgent attack.