Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Virus Vendors Scramble To Patch Hijacking Exploit Involving Microsoft Tool (securityweek.com)

Posted by EditorDavid on from the worries-for-Windows-users dept.

"A zero-day attack called Double Agent can take over antivirus software on Windows machines," Network World reported Wednesday. wiredmikey writes: The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers find subtle programming errors in their applications... [The exploit] allows a piece of malware executed by a privileged user to register a malicious DLL for a process associated with an antivirus or other endpoint security product, and hijack its agent.
Patches were released by Malwarebytes, AVG, and Trend Micro, the security researchers told BleepingComputer earlier this week. Kaspersky Lab told ZDNet "that measures to detect and block the malicious scenario have now been added to all its products," while Norton downplayed the exploit, saying the attack "would require physical access to the machine and admin privileges to be successful," with their spokesperson "adding that it has deployed additional detection and blocking protections in the unlikely event users are targeted."

BetaNews reports that the researchers "say that it is very easy for antivirus producers to implement a method of protection against this zero-day, but it is simply not being done. 'Microsoft has provided a new design concept for antivirus vendors called Protected Processes...specially designed for antivirus services...the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks.'"

13 of 48 comments (clear)

  1. Oh, Norton! by hackwrench · · Score: 2

    I bought a HP Pavilion 500-165 off of someone for $100 who said it ran slow and I uninstalled Norton and the problem went away. So Norton is the greatest program ever invented for acquiring computers cheaper from people.

    1. Re:Oh, Norton! by RubberDogBone · · Score: 1

      Ah McAfee. I used to go a lot of gaming with a group of ladies. Actual biological females. Being way too old for any of them to worry about, and being old enough to be polite, it was good place to hang out and game. We got along fine. Still do.

      They had a clan thing going and used voice chat to talk as they hopped from game to game to game. It was a lot of fun.

      Anyway, I knew a lot more about PCs than any of them, which is fine. Nobody really needs too know much. Several of the ladies had ongoing performance problems and it turned out to they all had McAfee. So I walked them through getting rid of that turd and gave them all Eset licenses. Everybody had very good results. They now talk to their friends and selectively choose who is told to install McAfee and who is told to get rid of it.

      Ah dirty tricks.

      --
      Sig for hire.
  2. Privileged User by Anonymous Coward · · Score: 2, Insightful

    Something executed by a "privileged user" can and should be able to remove anti-virus by design, how else could AV get installed and uninstalled if not by a privileged user?

    This is why you protect your admin/root accounts.

  3. Complete marketing wank by shellster_dude · · Score: 3, Interesting

    Dear god, will this bullshit end? It's like no one has ever heard of AppInit_Dlls (https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dlls-registry-value) or Binary Patching the MS way (https://msdn.microsoft.com/en-us/library/windows/desktop/aa370592(v=vs.85).aspx). This is not a new fucking 0-day or even a vulnerability. It is another, legitimate hooking technique that Microsoft invented. You have to have Local Admin credentials. If I have local Admin credentials, I can already kernel hook, install firmware or do any other privileged thing on the box. It doesn't surprise me that some no-name "security" company is peddle over-hyped shit. What does surprise me, is that some many supposedly intelligent "technical" people are swallowing it.

    1. Re:Complete marketing wank by whoever57 · · Score: 1

      This is not a new fucking 0-day or even a vulnerability.

      Maybe it's not a 0-day, but how is this not another vulnerability? Maybe it's not a vulnerability in Windows, but it appears to be a legitimate vulnerability in several AV tools.

      --
      The real "Libtards" are the Libertarians!
  4. While the severity is vastly oversold by Sycraft-fu · · Score: 2

    It is a story not so much because this can be done, but because there is a solution to it and has been for 3 years, AV vendors just aren't implementing it. There's additional hardening they could take to mitigate this, they just aren't.

    1. Re:While the severity is vastly oversold by najajomo · · Score: 1

      @Sycraft-fu: "It is a story not so much because this can be done, but because there is a solution to it and has been for 3 years, AV vendors just aren't implementing it. There's additional hardening they could take to mitigate this, they just aren't."

      Do you have a link to this three year old solution for the Double Agent zero-day attack, that the vendors aren't implementing, that the vendors are still working on a solution to?

    2. Re:While the severity is vastly oversold by Sycraft-fu · · Score: 1

      https://msdn.microsoft.com/en-...

  5. Backdoor by manu0601 · · Score: 1

    Windows lets unprivilegied user inject a DLL in trusted code. That looks like a backdoor.

    I wonder if it has been intentionally added lie Juniper's unauthorized VPN backdoor.

  6. Installed by default? by GerbilSoft · · Score: 1

    The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers quickly find subtle programming errors in their applications. The tool, introduced with Windows XP, is installed by default and enabled on all versions of the operating system.

    Since when was Application Verifier installed by default? It was apparently included on Windows XP's CD in /Support/Tools, but wasn't part of the standard installation. I don't recall it being installed on any Windows 7 systems that didn't have Visual Studio installed, either.

  7. Re:This doesn't let you be infected... apk by Anonymous Coward · · Score: 1

    Did you even read the summary you dumb fuck spammer? What the fuck is a host file going to do to protect against an exploit that requires physical access? You are a fucking moron, plain and simple. Get out of here with your piss poor piece of shit joke app. Pure fucking garbage compared to every other hosts file program out there, not to mention pretty much useless for the average computer user. While you're sitting there masturbating over a few meaningless cycles in KERNELMODE everyone else just install uBlock and actually contributes something to the world other than an example of what untreated autism looks like. I shudder to think how poorly configured your machine must be that you feel any sort of speed increase blocking ads in KERNELMODE.

  8. Re:This doesn't let you be infected... apk by Anonymous Coward · · Score: 1

    A lot of /. users have created useful utilities, but do you notice that even on a website filled to the brim with trolls and assholes that you are the only one posting this kind of silly spam? Why don't you just create a sig with a brief description of your app and a link to your download page? Then contribute something actually useful to the conversation instead of a spam post worded like it was written by a 12 year old skript kiddie and maybe you'll get some respect. I actually use a hosts file to help block ads on my machine, but I won't use yours because I simply don't trust someone who claims their software will stop ads yet ironically spams every vaguely security related story with ads about his hosts file engine and then stalks people who have anything to say about it. Have you ever heard the phrase, "you catch more flies with honey than vinegar".

    I encourage anyone who uses this person's software to switch to one of the many great open source alternatives until he starts practicing what he preaches and puts a stop to his own ads. APK is a hypocrite.

  9. Re: This doesn't let you be infected... apk by hackwrench · · Score: 1

    Norton claims that physical access is required. Whether it actually does or not remains to be seen. Personally I would not take Norton's word for it. The rest of them see this as a situation that warrants a patch.