Security researchers have found a new type of malware that abuses antivirus software to attack an computer. The new malware was discovered by security researchers from Cybellum who call their method DoubleAgent. DoubleAgent is able to modify antivirus software by injecting code into it. They can do it in such a way that they can take full control over it.
DoubleAgent exploits a 15 year old vulnerability in the Microsoft Application Verifier that is available in all Windows version from XP to Windows 10. The Microsoft Application Verifier is normally used to find bugs in Windows applications.
The security researchers have found a way to use this so they can hijack software and make it do what they want. By attacking anti virus software with DoubleAgent, an attacker is able to disable it remotely. After the antivirus software is turned off malware can be installed without the victim noticing it.
Because the hijacked software has access to the computer, it can also provide malware with full privileges. This means antivirus software actually aides in the attack.
According to the researchers virus scanners from McAfee, Kaspersky, Norton and Avast are vulnerable to the attack. Antivirus company Malwarebytes already protected its software against the DoubleAgent technique and Trend Micro plans to release an update soon.
Software vendors can protect themselves against the attack by using ‘Protected Processes’ in their applications. When using this, it’s impossible to execute unsigned code in their applications.