UPDATED 14:03 EDT / MARCH 22 2017

APPS

Antivirus-breaking exploit found in Windows security mechanism

Practically all of the leading antivirus programs that Windows users rely on to protect their devices can be turned against them, according to Cybellum Networks Ltd.

The threat stems from a newly discovered zero-day flaw, one that was previously undiscovered, in Microsoft Corp.’s operating system that could enable hackers to avoid most conventional methods of combating malware. Cybellum said in a blog post today that the issue lies with Application Verifier, a mechanism employed by Windows to identify applications suffering from security flaws.

The tool’s weakness is the way in which it looks for vulnerabilities. Under normal circumstances, Application Verifier attaches a DLL file to every program that looks for misuse of memory resources and other potential indicators of foul play. DoubleAgent, as Cybellum has named the exploit, allows hackers to replace the file with malware.

The access rights that are afforded to Application Verifier because it’s part of Windows allow hackers to carry out a wide range of attacks with little risk of detection. Cybellum says DoubleAgent can be exploited to steal data from a program, alter its behavior and infect other software among others. Worse, the DLL files used by the mechanism are permanently stored in the part of Windows responsible for launching programs, which means infections can’t be cleared by reinstalling a compromised application.

Cybellum claims to DoubleAgent may be exploited to breach “any” Windows software, but the risk to antivirus offerings is particularly severe given their vital role in upholding security and the increased likelihood of attackers trying to target them. The internal safeguards that most threat detection tools employ to block hacking attempts did little to mitigate the exploit in the startup’s tests. According to its blog post, its researchers found 14 popular antivirus programs to be vulnerable (pictured).

Cybellum Chief Executive Slava Bronfman told Network World that only AVG and Malwarebytes have patched their respective offerings so far, but the rest of the market will no doubt follow suit given the severity of the threat. Microsoft can be expected to issue a patch as well seeing that the fault is ultimately in Windows. In the meantime, users of the company’s operating system should probably take extra care to avoid suspicious sites and risky downloads.

Here’s a video demonstrating the exploit:

Image: Cybellum

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU