Author Topic: New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software  (Read 4894 times)

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 413
  • Brazilian / Medicine Student / Love Technology
https://www.bleepingcomputer.com/news/security/new-attack-uses-microsofts-application-verifier-to-hijack-antivirus-software/

Quote
DoubleAgent attack leverages Microsoft's Application Verifier
The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check.

Cybellum researchers discovered that developers could load their own "verifier DLL" instead of the one provided by the official Microsoft Application Verifier.

Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process.

Several antivirus makers affected

Cybellum researchers say that most of today's security products are susceptible to DoubleAgent attacks. The list of affected products includes:

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)
Comodo
ESET
F-Secure
Kaspersky
Malwarebytes
McAfee
Panda
Quick Heal
Norton

"We have reported [DoubleAgent to] all the vendors more than 90 days ago, and worked with [a] few of them since," Michael Engstler, Cybellum CTO, told Bleeping Computer in an email.

At the time of writing, "the only vendors that released a patch are Malwarebytes (version number: 3.0.6 Component Update 3), AVG (version number: 16.151.8007) and Trend-Micro (should release it soon)," Engstler added.

Offline a77841s

  • Comodo's Hero
  • *****
  • Posts: 230

Offline Protected_PC

  • Comodo Loves me
  • ****
  • Posts: 160
  • Protected Completely From Every Threat
Re: 0day for comodo
« Reply #2 on: March 21, 2017, 10:48:55 PM »
http://www.securityweek.com/attackers-can-hijack-security-products-microsoft-tool

Will COMODO be able to stop DoubleAgent dead in it's tracks before DoubleAgent attacks it?
Windows 10 Professional/COMODO Internet Security Premium

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 992


Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2896
Merged topics.

Its funny how they claim that Comodo is vulnerable but I bet they didn't even try or if they did, it was sandboxed and their tool reported a "success" without actually checking to see if it really did succeed.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Hello Guys,

No we are not vulnerable to this AppVerifier injection. Michael [from Cybellum] contacted us on this issue at our security response email, and we had a long discussion on the topic.

The claim was: Malware can use this registry key to inject arbitrary code into COMODO processes and hence disable the protection. DLL injection through AppVerifier registry keys has been around since Windows XP i.e. the last 10 years, and CIS [Comodo Internet Security], by default, protects these keys against malicious modifications already. Check the attachment CIS_protected.png. In order for the attack to be successful, malware has to write to this registry key, and CIS already protects against this by default. There are actually hundreds of similar ways of injecting into other processes, and I am not sure other AVs are even aware of them.

Most of the disagreement comes from not understanding how CIS layered defense works and assuming CIS is like the classical antivirus products mentioned in the original article. Nevermind protecting itself against such attacks, CIS protects EVERY other application against such attacks too.

For this attack to be successful, the malware author should be able to bypass CIS protection. CIS, by default, allows only whitelisted applications to modify such critical keys. Non-whitelisted applications will be either blocked or sandboxed, rendering the attack ineffective.

To his credit however, during our discussions with Michael[from Cybellum], another attack vector was disclosed to us. This can cause problems with default configuration so we will be addressing it with an update in April. We will be giving more details on it with the release.


Thanks,
Egemen

Edit: Fixed grammatical errors
« Last Edit: March 22, 2017, 01:47:41 PM by egemen »

Offline Graham1

  • Comodo's Hero
  • *****
  • Posts: 1873
Hello Guys,

First of all, do not worry. No we are not vulnerable to this AppVerifier injection. Michael contacted with us on this issue from our security response email and we had a long discussion on the topic.

The claim was: Malware can use this registry key to inject arbitrary code into COMODO processes and hence disable the protection.
DLL injection through AppVerifier registry keys has been around since Windows XP i.e. last 10 years and CIS by default protects these keys against malicious modifications already. Check the attachment CIS_protected.png. In order for the attack to be successful, malware has to write to this registry key and CIS already protects against this by default. There are actually hundreds of similar ways of injecting into other processes and not sure other AVs are even aware of them.

Most of the disagreement occurs due to not understanding how CIS layered defense works and assuming CIS is like the classical antivirus products mentioned in the original article.Never mind protecting itself against such attacks, CIS protects EVERY other application against such attacks too.

For this attack to be successful, malware author should be able to bypass CIS protection. CIS by-default allows only whitelisted applications to modify such critical keys. Non-whistled applications will be either blocked or sandboxed rendering the attack ineffective.

To his credit however, during our discussions with Michael(from Cybellum), another attack vector was disclosed to us. This can cause problems with default configuration so we will be addressing it with an update in April. We will be giving more details on it with the release.


Thanks,
Egemen

Hi Egemen

Thanks for the update :-TU. Is CCAV protected against this threat? If not, is CIS protected under the default configuration? (isn't HIPS disabled by default?) Please advise as I just want to use the best security (inc. configuration) that Comodo has to offer.

:)
« Last Edit: March 22, 2017, 09:37:15 AM by Graham1 »
Ubuntu 16.04 LTS (x64) | Chromium | uBlock Origin | Privacy Badger | HTTPS Everywhere

https://www.thevenusproject.com | Beyond Politics Poverty and War

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 992
To his credit however, during our discussions with Michael(from Cybellum), another attack vector was disclosed to us. This can cause problems with default configuration so we will be addressing it with an update in April. We will be giving more details on it with the release.

Great to know some news about upcoming releases of CIS  :-TU
By the way, default configuration is not advisable, it comes with too many flaws...
I'd suggest any CIS/CFW/CAV user to switch to Proactive Security configuration and then fine-tune it

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2896
Hi Egemen

Thanks for the update :-TU. Is CCAV protected against this threat? If not, is CIS protected under the default configuration? (isn't HIPS disabled by default?) Please advise as I just want to use the best security (inc. configuration) that Comodo has to offer.

:)

CCAV will run all unknowns in the sandbox so again it shouldn't be affected. As for CIS you should switch to the proactive configuration as pointed out by Jon79.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
CCAV will run all unknowns in the sandbox so again it shouldn't be affected. As for CIS you should switch to the proactive configuration as pointed out by Jon79.

One addition: CIS will also sandbox unknowns by default. Even wihtout proactive config, it will still sandbox.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2896
Thanks egemen for the response and clarifications on this matter.  :-TU

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Thanks egemen for the response and clarifications on this matter.  :-TU

Sure Np. I appreciate our deep tehcnical responses. Very impressive.

HAve you noticed new rule in CIS 10? It is has a new rule saying sandbox any unknown introduced less than 3 days ago.

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 992
Sure Np. I appreciate our deep tehcnical responses. Very impressive.

HAve you noticed new rule in CIS 10? It is has a new rule saying sandbox any unknown introduced less than 3 days ago.

That's at default configuration, on Proactive there's no time limit :)

For a great setup of CIS, please check this https://www.youtube.com/watch?v=FoIu3Z2ImO8&ytbChannel=cruelsister1

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
That's at default configuration, on Proactive there's no time limit :)

For a great setup of CIS, please check this https://www.youtube.com/watch?v=FoIu3Z2ImO8&ytbChannel=cruelsister1

Sure. Thats why Vault 7 is afraid of you guys :)

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek