lolloj - Fotolia

DoubleAgent malware could turn antivirus tools into attack vector

DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains how to contain the threat.

The newly uncovered DoubleAgent vulnerability can exploit a Windows bug-fixing tool to transform antivirus software into malware. The Israeli security company Cybellum Ltd. claims that products sold by Avast, Bitdefender, Eset, Kaspersky, Norton, Trend Micro and other vendors are vulnerable. What is the zero-day vulnerability, and how does the DoubleAgent malware attack work?

Enterprises have high expectations for antivirus tools and, many times, they do not anticipate the additional risk of using familiar antivirus tools or adding a new one to their environment. They might check that box and make a plan for managing the software and its log data, but still not understand how the tool itself should be secured.

There are a number of reasons cybersecurity tools may introduce risks. The tool may be run by a different operational team on behalf of the security team. Many antivirus tools have also been around for as many as 20-30 years, and they have significant legacy functionality that may have been developed prior to the introduction of modern software development lifecycles.

For other types of tools, this might be acceptable, but having another Witty-like worm targeting antivirus tools would only further embarrass the information security industry. We're lucky that people like Tavis Ormandy are reminding the community of this risk and forcing the industry to improve.

Research from Cybellum describes a new way to abuse antivirus software, or almost any software on the endpoint, by exploiting a vulnerability in the Microsoft Application Verifier, a verification tool used to discover and fix bugs in applications.

Much like the vulnerability using regsvr32.exe to bypass AppLocker, the DoubleAgent malware vulnerability enables malware to run code using the privileges of the targeted application.

To exploit the DoubleAgent malware vulnerability, an attacker needs to first run code on the endpoint. The DoubleAgent malware executes and tells the process under attack to load a custom debugging application, which can then run the malware to completely take over the endpoint.

As a mitigation, Cybellum recommends using the protected services function to defend antivirus services, a function Microsoft introduced in 2014 in Windows 8.1.

Given the sensitivity of endpoint security tools, enterprises should ask their endpoint security tool vendors when they expect to support using Microsoft's concept of protected processes, as well as how their software needs to be secured against attacks like those used for the DoubleAgent malware attack. Enterprises might also want to investigate using Eset for protecting their endpoint security tools. 

Next Steps

Read about how antimalware protection and endpoint security work

Learn about the best methods for removing malware from the enterprise

Is the antivirus business dead? Find out what the experts say

This was last published in August 2017

Dig Deeper on Threats and vulnerabilities