Zero-Day DoubleAgent Attack Converts AV Products into Malware
Security Researchers recently unearthed one fresh assault known as DoubleAgent which exploits certain tool of Windows created for fixing security bugs, for converting anti-virus software into malicious software.
Cybellum the security company based in Israel, which detailed the DoubleAgent assault, claims it can take full control over security products by Avira, AVG, Avast, Comodo, Trend Micro, BitDefender, Kaspersky, F-Secure, ESET, McAfee, Malwarebytes, Norton, Symantec, Quick Heal and Panda. However, the firm claims anti-virus solutions of other types can also be compromised.
Reportedly DoubleAgent, which is a zero-day assault, is capable of gaining control of AV software running on Widows PCs followed with converting it into malicious programs which would encrypt files and hold them at ransom, format the Windows-based computers' hard drives, or exfiltrate data.
DoubleAgent abuses authentic Windows software known as Microsoft Application Verifier to make it work against anti-virus programs available from many security vendors, according to Cybellum, which issued a security alert in the week of March 20.
Cybellum explains that the exploit enables cyber-criminals for turning an AV program that any of the above security vendors supplies into malware to spy on end-users, pilfer sensitive information or data stored on their computers, as well as to move from one end to another end of the network for causing destruction of the machines. Most essentially, because the malicious program pretends to be an anti-virus, it helps attackers for persistently staying on the host PC. Darkreading.com posted this, March 22, 2017.
The DoubleAgent attack works very well against all the AV programs which Cybellum tested on Windows XP through Windows 10. It's been found to work well against quite all other processes too active on the said Windows PCs.
According to Michael Engstler, chief technology officer and co-founder of Cybellum, DoubleAgent lets its perpetrator to insert a DLL (dynamic link library) program into the processes of the computers. This injection assault is immune to rebooting, while even tries uninstalling as well as reinstalling the software.
The sole safeguard currently is keeping Windows Defender of Microsoft up-to-date all the time. Hopefully AV developers would launch the necessary patches too.
» SPAMfighter News - 28-03-2017