Here comes news about a new kind of attack that can turn an advanced antivirus security software itself into malware.
Researchers have come up with reports about a new proof-of-concept exploit, which has been named DoubleAgent, which would hijack third-party Windows antivirus software and then use the same antivirus software to deliver further attacks. Of course, there is no evidence that the exploit is already there are causing issues, but internet security researchers have found that this is a vulnerability that most antivirus programs are susceptible to.
This development is a bit startling. This because advanced antivirus security software, which is expected to ensure better security from hackers, can now turn a potential tool in the hands of the very same hackers. It’s a debugging tool in Microsoft Windows, in fact a well-intentioned debugging tool which is called Microsoft Application Verifier, that could be used to gain access to antivirus software. Of course, this could help hackers manipulate any software target, but it would most likely be the antivirus software that would appeal the most to any attacker. This because antivirus programs have extensive system privileges including the privilege of scanning the whole system itself and can help hackers to get access to almost anything on a system or network.
As per internet security software experts who are doing researches and analyses about the bug, the malicious code, which enters through the legitimate Microsoft Application Verifier tool, becomes really persistent. Even a system reboot wouldn’t help eliminate the attack and once an attacker gains control of the antivirus program, he can manipulate it to execute all kinds of attacks. These may include-
- Turning the antivirus program itself into a malware.
- Using the AV program to whitelist the malware that hackers want to spread.
- Making the antivirus ignore different malicious remote activity, including decryption, data-mining etc.
- Using the AV program to encrypt files or format hard drives without users permission and thus use the AV software as ransomware.
- Using the AV program to cause a denial-of-service condition for any program on Windows, by making it flag and block applications.
This vulnerability is dangerous indeed, firstly because it uses the very same advanced antivirus security software that we use to secure our systems, to carry out the attack and secondly because when an antivirus itself turns malicious, it can simply impact any area in our system/network.
Of the many antivirus programs that have been identified as susceptible to this vulnerability, some have reportedly patched the bug while the Comodo Antivirus has its own default protections that negate such attacks.