Antivirus is installed to keep our devices secure from incoming threats and malware. What if the savior turns into a villain? What if your Antivirus doubles over? What if it stands up against the very thing for which it was supposed to protect? What if it becomes Ultron, Iron Man and Hulk’s experiment to create a savior for mankind, gone wrong?
According to Cybellum, Israeli cybersecurity defense firm, the attack uses Microsoft Application Verifier (runtime verification tool for unmanaged code), as an advantage to inject codes to manipulate a software, it is named as Double Agent Attack. Antivirus has taken all the attention of this attack as it has privileged access above all the other software installed on the system. Due to this attack, our Antivirus can turn against the system and can get manipulated by hackers.
Slava Bronfman, CEO of Cybellum stated, “You’re installing an antivirus to protect you, but actually you’re opening a new attack vector on your computer”. Hackers usually try to run away from Antivirus and hide from it, but now instead of running away, they can directly attack the Antivirus. And once they control it, they don’t even need to uninstall it. They can just quietly keep it running.”
Later as the attack unravels, the malicious coding overpowers and allows the hackers to take control. Once hackers gain control over the Antivirus, they can manipulate the codes and use the software in any which ways. If the attempt is successful, snooping into your private information or stealing the data would be a piece of cake for hackers. In the worst case scenarios, hackers can encrypt the system files or can even format the hard drives.
Once the system is under attack, there is no other way round, the system reboot or the software uninstallation and reinstallation will not work.
“Double Agent attack gives the attacker the ability to control the AV without being detected, while keeping the illusion that the AV is working normally,” says Slava Bronfman, cofounder and CEO of Cybellum.
“Once we discovered this attack we tried to understand which impact it has and which limitations, and we quickly understood that it has none,” says Cybellum chief technology officer Michael Engstler. “You can actually use it to inject any process, so once we understood that there was a major problem here.”
The Developers of all the affected Antivirus program (Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton) were notified and they are currently working on developing a bug to resolve the issue.
Microsoft had developed a technique called Protection Process three years ago. It protects the Antivirus programs from overwriting of codes without proper validation and it successfully blocks Double Agent. Other than Windows Defender, no one else has implemented this process so far. It’s high time, every other Antivirus program started using this technique to protect their Antivirus program.
Malwarebytes, AVG, Trend Micro, Kaspersky and Avast have released a patch to fix this glitch.
Norton and Comodo confirmed that their software already makes the attack dysfunctional. Symantec stated, “They have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted.”
Soon all the Antivirus program will release a bug fix to overcome this menace. But it leaves us with a perturbing question: what if the antivirus programs are vulnerable to the next attack. Where does it leave us? Such annoying but bitter truth can shake the very foundation of trust forged by antivirus programs. To ensure that it never happens again, they have to go an extra mile and check for upcoming threat before any damage done.
What do you think? Let us know in the comments below!