Anti-Virus Vendors Scramble To Patch Hijacking Exploit Involving Microsoft Tool

"A zero-day attack called Double Agent can take over antivirus software on Windows machines," Network World reported Wednesday. wiredmikey writes: The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers find subtle programming errors in their applications... [The exploit] allows a piece of malware executed by a privileged user to register a malicious DLL for a process associated with an antivirus or other endpoint security product, and hijack its agent.
Patches were released by Malwarebytes, AVG, and Trend Micro, the security researchers told BleepingComputer earlier this week. Kaspersky Lab told ZDNet "that measures to detect and block the malicious scenario have now been added to all its products," while Norton downplayed the exploit, saying the attack "would require physical access to the machine and admin privileges to be successful," with their spokesperson "adding that it has deployed additional detection and blocking protections in the unlikely event users are targeted."

BetaNews reports that the researchers "say that it is very easy for antivirus producers to implement a method of protection against this zero-day, but it is simply not being done. 'Microsoft has provided a new design concept for antivirus vendors called Protected Processes...specially designed for antivirus services...the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks.'"

Oh, Norton!

[hackwrench]

I bought a HP Pavilion 500-165 off of someone for $100 who said it ran slow and I uninstalled Norton and the problem went away. So Norton is the greatest program ever invented for acquiring computers cheaper from people.

Re:Oh, Norton!

If you like the trill of using a pre-owned computer without re-installing the operating system (and these days re-flashing they bios), you deffenatly do not need a virus scanner. Any hardware I get starts of with a "dd if=/dev/zero of=/dev/sda", even if I re-install a (decent) operating system.

Re:Oh, Norton!

Throw McAfee on that list of AV applications that bring a machine to a crawl. Worst AV I've ever used, or forced to use, as it's mandated at my work. I use Avast at home and it has a very small footprint against system performance compared to that McAfee POS.

Re: Oh, Norton!

Eh, I'd clone my system drive over to the new computer like I always do.
I only installed Windows 7 once, but that same install is on several machines now. 7 is pretty good at that I bet 10 would shit a brick.

Re:Oh, Norton!

[RubberDogBone]

Ah McAfee. I used to go a lot of gaming with a group of ladies. Actual biological females. Being way too old for any of them to worry about, and being old enough to be polite, it was good place to hang out and game. We got along fine. Still do.

They had a clan thing going and used voice chat to talk as they hopped from game to game to game. It was a lot of fun.

Anyway, I knew a lot more about PCs than any of them, which is fine. Nobody really needs too know much. Several of the ladies had ongoing performance problems and it turned out to they all had McAfee. So I walked them through getting rid of that turd and gave them all Eset licenses. Everybody had very good results. They now talk to their friends and selectively choose who is told to install McAfee and who is told to get rid of it.

Ah dirty tricks.

Privileged User

Something executed by a "privileged user" can and should be able to remove anti-virus by design, how else could AV get installed and uninstalled if not by a privileged user?

This is why you protect your admin/root accounts.

Futile.

Futile is the only applicable word. I'm fine with people that keep patching it up for sentimental reasons, but they will be wasting there own time. NOT a single virus scanner manufacturer will accept damages when your company gets hacked to oblivion despite there best efforts. Every single virus these days targets many different security holes. If you manage to patch all bit one hole, you would not prevent a single virus form taking over a machine. I tell my boss that using Windows has some benefits but it puts the company at great risk, every single day. I only take responsibility for the (non windows) servers, and any data that is not accessible by any windows machine, there rest of the data (basically all of it) is up for grabs.

::yawn::

BSD user reporting it!

Turning up the Megadeth on the speakers.

Can't hear anything you all are saying.

What??

Re:::yawn::

Wouldn't be the first time a Megadeth fan ignored good advice.

Good luck getting that out quickly...

after firing your QA.

Re: Good luck getting that out quickly...

They didn't for all of them, only the good people since they were more expensive.

Complete marketing wank

[shellster_dude]

Dear god, will this bullshit end? It's like no one has ever heard of AppInit_Dlls (https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dlls-registry-value) or Binary Patching the MS way (https://msdn.microsoft.com/en-us/library/windows/desktop/aa370592(v=vs.85).aspx). This is not a new fucking 0-day or even a vulnerability. It is another, legitimate hooking technique that Microsoft invented. You have to have Local Admin credentials. If I have local Admin credentials, I can already kernel hook, install firmware or do any other privileged thing on the box. It doesn't surprise me that some no-name "security" company is peddle over-hyped shit. What does surprise me, is that some many supposedly intelligent "technical" people are swallowing it.

Re:Complete marketing wank

[whoever57]

This is not a new fucking 0-day or even a vulnerability.

Maybe it's not a 0-day, but how is this not another vulnerability? Maybe it's not a vulnerability in Windows, but it appears to be a legitimate vulnerability in several AV tools.

Re:Complete marketing wank

Clearly, they're operating on the "Kidzcon @ DEFCON's closing ceremony's" definition of a 0day.

Re:Complete marketing wank

Because this is Slashdot, original home of the anti-MS circlejerk. Bonus points for circlejerking without having any understanding of Windows' security model.

Unless I read it wrong? apk

It can inject a lib/dll into ANY running process & "take over" what it does (letting them do anything they want in said injected lib/dll) - imo, this isn't restricted to JUST antivirus but ANY running process under administrator or better privilege.

APK

P.S.=> It's pretty bad... apk

Re:Unless I read it wrong? apk

it has a prerequisite of running with the privileged permissions a AV holds, hence it is an AV specific vector and hence the design mitigations proposed to plug the hole.You can't exploit normal apps this way

Re: Unless I read it wrong? apk

So what you're saying, is that you lied above and your shitty program can't prevent this exploit.

Re:Unless I read it wrong? apk

An administrator process can take over other administrator processes? The horror! I always run Chrome as admin!

Re:Unless I read it wrong? apk

It is not AV specific. Explorer.exe is using a dozen of DLL's like ADVAPI GDI.dll, NTDLL.DLL , msvcrt.dll and a bunch of others and these can be replaced with malicious DLL's which can then be used by this Double-Agent attack.

But of course planting malicious DLL in any process will be detected by AV, so any miscreants with half a brain would just go directly to attack the defenses (ie AV) first before anything else.

While the severity is vastly oversold

[Sycraft-fu]

It is a story not so much because this can be done, but because there is a solution to it and has been for 3 years, AV vendors just aren't implementing it. There's additional hardening they could take to mitigate this, they just aren't.

Re:While the severity is vastly oversold

[najajomo]

@Sycraft-fu: "It is a story not so much because this can be done, but because there is a solution to it and has been for 3 years, AV vendors just aren't implementing it. There's additional hardening they could take to mitigate this, they just aren't."

Do you have a link to this three year old solution for the Double Agent zero-day attack, that the vendors aren't implementing, that the vendors are still working on a solution to?

Re:While the severity is vastly oversold

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx#system_protected_process

Re:While the severity is vastly oversold

[Sycraft-fu]

https://msdn.microsoft.com/en-...

Uh, I said that (admin priv or better)

See my subject & review the end of what I said - in other words, any process that has admin (or better) privilege is potentially adversely affected. I.E. - it's not JUST restricted to antivirus in other words...

APK

P.S.=> Like I said - it's pretty bad... apk

Re: Uh, I said that (admin priv or better)

Hey buddy you're missing the point. The admin should be able to do anything. This is Windows working as designed, to do things, Windows job is not to sit there and say NO to you when you are working.

Re: Uh, I said that (admin priv or better)

Oh please. Admin accounts in windows can't do a lot of things by default. See secpol.msc Local Policy User Rights Assignment. He also caught you skimming his post missing his point right here where he corrects your error https://it.slashdot.org/comments.pl?sid=10407817&cid=54109711/ so cut the crap. You blew it and trying some bullshit to cover your mistake is very weak. Double fail for you.

Re:Uh, I said that (admin priv or better)

oh shit you're right, an admin can do stuff. We better pull OSX, all Linux distro's and windows from the market till we can find a way to address such a vulnerability

Re: Uh, I said that (admin priv or better)

Oh please. Admin accounts in windows can't do a lot of things by default. See secpol.msc Local Policy User Rights Assignment.

Um.. you do realize that Admin accounts can change the local policy user rights... right?

Okay, maybe not do everything by default (less and less the higher the windows version number). But they should be able to, that's the point of an administrator. The problem is that everyone gets to be an administrator by default, which is stupid.

Re: Uh, I said that (admin priv or better)

It's not wise to set privs too high even for an admin which is why some of those are not set to default for admin (device driver coders use a lot of them on debug builds of the OS). Setting rights to some of those opens you to attack.

Depends on how threat is delivered

See my subject: IF I cut off the source of the infestation, yes it can, easily IF served by host-domain name (which 99% of threats are since IP address served ones are too easy for ICANN etc. to cut off where host-domain isn't that easy (hence fastflux malware types etc.)).

APK

P.S.=> Plus, if I cut off ANY "C&C server" it's using, same deal IF done by host-domain name - it can't "talk back to mama" for orders OR data sending out of your system too (IF you are referring to my program posted about here way, Way, WAY above -> https://it.slashdot.org/comments.pl?sid=10407817&cid=54109645/ & I think you are - by the way: WHAT HAVE YOU PERSONALLY DONE THAT IS BETTER, hmmm? Answer that (I suspect ZERO, lol)... apk

I don't lie per my last post & Jay-Z... ap

"I'm from the Empire State in NY: Concrete Jungle where dreams are MADE of - there's NOTHING I can't do (count on NY)..." Alicia Keys (yeaaaa)

* :)

(Per https://it.slashdot.org/comments.pl?sid=10407817&cid=54109645/ )

APK

P.S.=> Per my subject & that tune w/ this line from Jay-Z? "That's boy's GOOD" https://www.youtube.com/watch?v=z5LOE_5icNA/ - don't YOU wish YOU were ME? Of course you do, lol... apk

C'mon Norton

...while Norton downplayed the exploit, saying the attack "would require physical access to the machine and admin privileges to be successful," with their spokesperson "adding that it has deployed additional detection and blocking protections in the unlikely event users are targeted."

That has to be the stupidest thing I've heard Norton say... so far this year.

By far the majority of Windows installs are single user computers, meaning that the logged in user account will be in the Administrators group. Even with UAC at maximum settings self elevation without user interaction is completely trivial - the majority of PowerShell scripts we use for system administration relaunch themselves with Run as Administrator so they can get stuff done.

Backdoor

[manu0601]

Windows lets unprivilegied user inject a DLL in trusted code. That looks like a backdoor.

I wonder if it has been intentionally added lie Juniper's unauthorized VPN backdoor.

Installed by default?

[GerbilSoft]

The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers quickly find subtle programming errors in their applications. The tool, introduced with Windows XP, is installed by default and enabled on all versions of the operating system.

Since when was Application Verifier installed by default? It was apparently included on Windows XP's CD in /Support/Tools, but wasn't part of the standard installation. I don't recall it being installed on any Windows 7 systems that didn't have Visual Studio installed, either.

Re:Installed by default?

Exactly. I am currently on XP and I can't find this directory either. Also, according to the linked article

three years ago Microsoft provided a new design concept that antivirus vendors could use that is called Protected Process and is meant specifically to protect antivirus software. Vendors could write their platforms so they are considered protected processes that would only allow trusted, signed code to load on them.

Because in the history of computing, not even a single signing key was stolen! /s
(like the keys of Sony, Microsoft, Symantec etc)

Re:This doesn't let you be infected... apk

Did you even read the summary you dumb fuck spammer? What the fuck is a host file going to do to protect against an exploit that requires physical access? You are a fucking moron, plain and simple. Get out of here with your piss poor piece of shit joke app. Pure fucking garbage compared to every other hosts file program out there, not to mention pretty much useless for the average computer user. While you're sitting there masturbating over a few meaningless cycles in KERNELMODE everyone else just install uBlock and actually contributes something to the world other than an example of what untreated autism looks like. I shudder to think how poorly configured your machine must be that you feel any sort of speed increase blocking ads in KERNELMODE.

Re:This doesn't let you be infected... apk

A lot of /. users have created useful utilities, but do you notice that even on a website filled to the brim with trolls and assholes that you are the only one posting this kind of silly spam? Why don't you just create a sig with a brief description of your app and a link to your download page? Then contribute something actually useful to the conversation instead of a spam post worded like it was written by a 12 year old skript kiddie and maybe you'll get some respect. I actually use a hosts file to help block ads on my machine, but I won't use yours because I simply don't trust someone who claims their software will stop ads yet ironically spams every vaguely security related story with ads about his hosts file engine and then stalks people who have anything to say about it. Have you ever heard the phrase, "you catch more flies with honey than vinegar".

I encourage anyone who uses this person's software to switch to one of the many great open source alternatives until he starts practicing what he preaches and puts a stop to his own ads. APK is a hypocrite.

Not always horror (DLL Injection too)

See my subject: Microsoft's own EMET uses DLL injection "for the good" (unlike this threat) & makes Windows security features up there w/ ones Win10 has (in lesser builds which imo are better ones like 7). For a complete list of those enhancements, see here http://www.theregister.co.uk/2016/11/24/cert_no_microsoft_even_win_7_emet_is_better_than_solo_win_10/ in the "compare & contrast/before & after" comparison table graphic there.

APK

P.S.=> Good stuff - I use it on Windows 7 64-bit here... apk

WTF Norton?

Norton downplayed the exploit, saying the attack "would require physical access to the machine and admin privileges to be successful,"

Requires physical access AND admin privileges? So, I can't do it remotely with admin privileges? Norton's downplay is as bad as the story's hyperbole.

WTF Norton?

Re: This doesn't let you be infected... apk

[hackwrench]

Norton claims that physical access is required. Whether it actually does or not remains to be seen. Personally I would not take Norton's word for it. The rest of them see this as a situation that warrants a patch.

This doesn't let you be infected... apk

See subject: Blocking infection + C&C talk & speeds you up 2 ways via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have in the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

Re:This doesn't let you be infected... apk

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

take a look at the APK hosts file engine by SuperKendall

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

* Recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> You've done better? No. UBlock doesn't do as much (no DNS bennies) & uses far more (inefficient slower usermode too)... apk

/.ers disagree (I get respect, you don't)

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

take a look at the APK hosts file engine by SuperKendall

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

* Recommended & hosted by Malwarebytes' hpHosts...

APK

P.S.=> You've done better? No. Don't give me advice then, you unidentifiable no balls & no skills anonymous "ne'er-do-well" worm who stalks me - you get no respect, I do (see above)... apk