Table of Contents
- 1 The A – Z Of How Do I Go Live On Facebook Using Streaming Software
- 2 Download for free your GBWhatsApp+ Apk 2017
- 3 What Exactly Makes Ios More Efficient? Secrets Revealed
- 4 Here you can now Download WPS Office + PDF v10.1.3 MOD Premium APK
cyber security – Give Me 10 Minutes, I’ll Give You The Truth About Doubleagent
This Article Will tell you how Doubleagent Exploit Uses Windows’ Microsoft Application Verifier To Hijack Antivirus Software Amazing: Read Or Miss Out
Security researchers at Cybellum have revealed details of a zero-day exploit that makes it possible for an attacker to take full control of antivirus software. The technique can be used to take control of just about any application, but by focusing on antivirus tools, the illusion of safety offered to victims means they are likely to be completely unaware of what is happening. cyber security
The attack works by exploiting the Microsoft Application Verifier that’s built into Windows. It is possible to replace the tool with a custom verifier which can then be used to inject malicious code into any chosen application.cyber security A number of well-known antivirus tools — including Avast, BitDefender, ESET, Kaspersky, and F-Secure — are vulnerable, while patches have been released for others.
Explaining how the exploit works, Cybellum says: “The attack begins when the attacker injects code into the antivirus by exploiting a new Zero-Day vulnerability. Once inside, the attacker can fully control the antivirus. We named this attack DoubleAgent, as it turns your antivirus security agent into a malicious agent, giving an illusion that the antivirus protects you while actually it is abused in order to attack you.” cyber security
Full details of how the exploit works can be found on the Cybellum technical blog, but it is a modern take on the idea of a Trojan in essence. Cybellum has published a video showing how Norton Antivirus can be compromised:
The DoubleAgent exploit can be used on all versions of Windows from Windows XP to Windows 10, and the use of a persistency technique means that injected code can survive a system reboot. The security firm explains: cyber security
Microsoft offers a standard way to install runtime verification tools for native code via Microsoft Application Verifier Provider DLLs. A verifier provider DLL is simply a DLL that is loaded into the process and is responsible for performing runtime verifications for the application.
In order to register a new Application Verifier Provider DLL one needs to create a verifier provider DLL and register it by creating a set of keys in the registry. cyber security
Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots/updates/reinstalls/patches/etc.
cyber security Cybellum goes on to say that it is very easy for antivirus producers to implement a method of protection against this zero-day, but it is simply not being done:
Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed.cyber security Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago.
It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s a legitimate part of the OS.cyber security
Credit – betanews.com