2 April 2017

THIS CLEVER ‘DOUBLE AGENT’ DIGITAL/CYBER ATTACK TURNS ANTIVIRUS INTO MALWARE; EVEN MEASURES LIKE A SYSTEM REBOOT,WON’T ELIMINATE A DOUBLEAGENT ATTACK.


Lily Hay Newman had an online article last week, (March 23, 2017), on WIRED.com’s website. Build a digital mousetrap, and the digital mice will eventually find a way around it. And, the ingenuity and cleverness of the cyber thieves continues to evolve, and as you might expect — they get more devious with time. Ms. Newman begins: “Your antivirus (AV) software might come with some annoyances. It might slow your computer down. “But, researchers have discovered a more sinister downside: A well intentioned debugging tool found in many versions of Microsoft Windows can be used maliciously to gain access to vulnerable antivirus programs, and weaponize them.”

“Discovered by researchers at the Israeli cyber security defense firm — Cybellum, the so-called “DoubleAgent attack” takes advantage of the Microsoft Application Verifier, a tool used for strengthening security in third-party Windows applications, to inject customized code into programs. The approach could potentially manipulate any software target; but, antivirus programs would be particularly appealing to an attacker since they have such extensive system privileges for scanning,” Ms. Newman wrote.

“You’re installing antivirus to protect you [your devices]; but actually you’re opening a new attack vector into your computer,” said Slava Bronfman, CEO of Cybellum. “Hackers usually try to run away from AV, and hide from it — but now, instead of running away — they can directly attack the AV. And once they control it, they don’t even need to uninstall it, they can just keep quietly keep it running.”

“As the [digital] attack unfolds,” Ms. Newman wrote, “it allows malicious code to become persistent, since it entered through the legitimate Application Verifier Tool. “The researchers say that even measures like a system reboot, won’t eliminate a DoubleAgent attack. And, once hackers control the antivirus program — they can manipulate it to execute all sorts of attacks — from passive surveillance, to encrypting, and ransoming off data, because of the inherent trust operating systems place in antivirus programs.”

“Once we discovered this attack, we tried to discover which impact it has, and which limitations, and we quickly understood it has none,” said Cybellum Chief Technology Officer, Michael Engstler. “You can actually use it to inject any process — so, once we understood that we understood that there was a major problem here.”

Ms. Newman notes that “the researchers notified the developers of 14 vulnerable antivirus programs (Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kapersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton) and say thery waited 90 days before publicly disclosing the bug. So far, only Malwarebytes, AVG, and Trend Micro have released a patch. There isn’t particular evidence so far — that the vulnerability has ever been exploited; but, it’s impossible to know for sure, especially since Windows has included the Application Verifier since the XP days. “it doesn’t seem like they’re working so hard to solve this problem,” Engstler said. “I’m sure, now with all the publicity, things will get faster and, that’s one of the motivations for publishing this; but until now, it seems a little bit slower than we thought [expected].”

“The vulnerability is dangerous in itself; but, it also speaks to the larger concerns about the role of antivirus and the incidental insecurity it can introduce into a system,” Ms. Newman wrote.

“Personally, I have stopped using antivirus products, I do not remember the last time I had it in my primary PC,” said Mohammad Mannan, a ][cyber] security researcher at Concordia University in Montreal, and who has studied antivirus vulnerabilities. “All software has bugs; but, if something goes wrong with antivirus products the fallout can be very significant as in this case [with Double Agent]. Antivirus products generally run with a lot of privileges in the system, so if it can be compromised you basically get full access,” Mr. Mannan said.

Ms. Newman notes in closing that, “Microsoft released a security-minded architecture for antivirus three years ago called, Protected Processes, that successfully protects users from Double Agent. The researchers found only one antivirus program that had implemented Protected Processes — Microsoft’s own Windows Defender.” 

In intelligence parlance, a double agent is a spy who you had, or have on your payroll, who has been turned or defected to the adversary. So, while you think he is working for you — he/she really isn’t and instead — working for your opponent. That is essence is what Double Agent malware does. You feel good about your devices’ digital security, because you are comforted by the fact that you have a debugging tool that Microsoft has your digital back so to speak…….except it doesn’t. This malware is particularly devious, or sick and twisted as some might say; and, is giving you a false sense of the security of your devices. 

There is an old saying about deployed mousetraps — ‘it is the second mouse that always gets the cheese.’ Leave it to the digital thieves, spies, malcontents, and others to one-up the real mousetrap. Double Agent malware allows the first mouse to dine as well.

No comments: