Image Credit: Cybellum

Attackers can use this vulnerability to compromise any legitimate process like any antivirus software which runs as a high privileged process. This hijacked antivirus process can then turn against the system they’re meant to protect. Hence called DoubleAgent attack.

Microsoft Application Verifier

The DoubleAgent attack relies on Microsoft Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. Microsoft Application Verifier (AppVerif.exe) is a dynamic verification tool for user-mode applications. This tool monitors application actions while the application runs, subjects the application to a variety of stresses and tests, and generates a report about potential errors in application execution or design. It finds subtle programming errors that might be difficult to detect during standard application testing or driver testing. We can use Application Verifier alone or in conjunction with a user-mode debugger. Application Verifier is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities.

Code Injection

A verifier provider DLL is loaded into the process and handles performing run time verifications for the application. DoubleAgent allows the attacker to inject any dynamic link library into any process. Once a DLL is injected/registered for a process, it is permanently injected by the Windows Loader into the process every time the process starts, even after reboots or updates or reinstalls or patches.

Application verifier provider DLLs are registered per executable name, meaning each DLL is bounded to a specific executable name. For registering a new application verifier provider to executable, publicly available code is present, DoubleAgent project.

The registration process creates two new registry keys under: HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PROCESS_NAME (here NS.exe)

Registration process creating two new registry keys

Whenever a process starts normally the first DLL that loads is kernel32.dll. But if Microsoft Application Verifier is on, the first DLL that loads is the selected verifier provider DLL. Once our DLL loads we are free to do as we wish inside the victim process. It is worth to note that once the attacker decides to inject a DLL into a process, they are forcefully bounded forever. Even if the victim would completely uninstall and reinstall its program, the attacker’s DLL would still be injected every time the process executes.
DoubleAgent attack can be used for various practices, like
  • Taking full control of antivirus processes.
  • Installing malware which is persistent.
  • Hijacking the permissions of an existing trusted process.
  • Installing backdoors, weakening encryption algorithms or any other modification of the behavior of the process.
  • Injecting code to processes of other users or sessions.
The DoubleAgent attack has the ability to inject any DLL into any process. The code injection occurs extremely at an early stage during the victim’s process boot. The code injection technique is so unique that it’s not detected or blocked by any antivirus. Most of today’s security solutions in the market were also susceptible to the DoubleAgent attacks, although many of these mentioned security solutions have been updated to fix this vulnerability.
Here’s the list of affected security products (Most of them have been fixed now):
  • Avast (CVE-2017-5567)
  • AVG (CVE-2017-5566)
  • Avira (CVE-2017-6417)
  • Bitdefender (CVE-2017-6186)
  • Trend Micro (CVE-2017-5565)
  • Comodo
  • ESET
  • F-Secure
  • Kaspersky
  • Malwarebytes
  • McAfee
  • Panda
  • Quick Heal
  • Norton

Solution

DoubleAgent exploits an old legitimate feature of Windows and thus cannot be patched. As a solution to this vulnerability, applications need to inherit the new design concept of “Protected Processes” introduced by Microsoft more than 3 years ago. Protected process infrastructure only allows trusted, signed code to load and has a built-in defense against code injection attacks. This means that even if an attacker finds a new Zero-Day technique for injecting code, it cannot be used against the antivirus as its code is not signed. The new concept is specially designed for antivirus services. Currently, only Windows Defender has implemented this new design.

– Shakeel