DoubleAgent Attack Can Turn Your Antivirus Into an Malware

The DoubleAgent attack can be used to take full control over all the major antivirus software . You ask why this weird name, Well a virus...

The DoubleAgent attack can be used to take full control over all the major antivirus software. You ask why this weird name, Well a virus/malware generally would try to hide from your antivirus as best as possible, But this malware instead of hiding from your Windows Antivirus Software, it plays a patches with windows and your antivirus software and turns your Antivirus Software to play double role of  harming your pc instead of protecting it, DoubleAgent actually attacks the antivirus software itself and take control of your windows antivirus software and turn it into an malware. The security researchers from Cybellum have found this technique that if got in wrong hands can be used by the cyber criminals to hijack your computer very easily.

The DoubleAgent Attack takes advantage of a important feature of Windows, Which is about 15-year-old, And because it's an important feature of Windows itself. It affects all versions of Microsoft Windows and  it can’t be patched for now. The Cybellum's website mentions that most antivirus vendors are still unable to patch this vulnerability. Cybellum has also tested the DoubleAgent on all major antivirus software's available for windows and reported it to there respective vendors. But at the time of writing this, only Malwarebytes and AVG have released a patch to fix this.

Here is the list of Windows Antivirus Software's that are affected by this vulnerability:

• Avast
• AVG
• Avira
• Bitdefender
• Trend Micro
• Comodo
• ESET
• F-Secure
• Kaspersky
• Malwarebytes
• McAfee
• Panda
• Quick Heal
• Norton

How exactly DoubleAgent attacks the Antivirus itself?

Whenever you try to run an windows system  application Microsoft Application Verifier, verifies the apps, this lets developers to verify and debug code of the applications. Cybellum researchers discovered that Microsoft allows developers to inject there own custom verifier.dll into any application. This process gives an developer or we can say attacker the ability to inject any DLL into any windows process.

If we talk about the complexity of the attack, DoubleAgent has the ability to modify the functionality of an antivirus and it can turn an windows antivirus software into an malware itself,  Although Cybellum team had there focus only on antivirus software, but researchers have said that the DoubleAgent is not only a threat for security applications but the logic behind this attack also have the ability to corrupt any process even the Windows OS too.

Cybellum have advised that the antivirus company's should use Microsoft's new Protected Processes technic, which was first seen in Windows 8.1. The Protected Processes is a new process that Microsoft made for Windows Defender to make it more safe, The Protected Processes do not let any other apps to inject unsigned code into any process.

You can read more details about DoubleAgent Attack on Cybellum’s website. The DoubleAgent source code is available on GitHub.

While almost all antivirus applications are vulnerable with this attack, Comodo denied that Comodo internet security is affected by DoubleAgent, And Cybellum proved there claim wrong in this video by executing and recording the attack on the Comodo Internet Security in the below video:

DoubleAgent Attack on Comodo Internet Security:

DoubleAgent Attack on Norton Antivirus:

DoubleAgent Attack on Avira Antivirus: