Yep, even in antivirus!

Security researchers from Cybellum, an Israeli security firm, has discovered a vulnerability that could allow code injection code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10:

DoubleAgent can exploit:
Every Windows version (Windows XP to Windows 10)
Every Windows architecture (x86 and x64)
Every Windows user (SYSTEM/Adminetc.)Every target process, including privileged processes (OS/Antivirus/etc.)

The attack, dubbed DoubleAgent, exploits a 15 years old undocumented (legitimate) feature of Windows called “Application Verifier”, a runtime verification tool that loads DLLs into processes for testing purpose, allowing developers quickly detect and fix programming errors in their applications:

Code Injection
DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself.
The code injection technique is so revolutionary that it’s not detected or blocked by any antivirus.

DoubleAgent can continue injecting code even after reboot making it a perfect persistency technique to “survive” rebootsupdatesreinstallspatchesetc.
Once the attacker decides to inject a DLL into a process, they are forcefully bounded forever. Even if the victim would completely uninstall and reinstall its program, the attacker’s DLL would still be injected every time the process executes.

DoubleAgent exploits a 15 years old undocumented legitimate feature of Windows and therefore cannot be patched.

Turn antivirus in a ransomware?

Cybellum has also published a video to demonstrate the DoubleAgent attack: the researchers has corrupted the anti-virus app and turned it into a disk-encrypting ransomware:


Vulnerable Antiviruses

The list of vendors that have been tested and found to be vulnerable to DoubleAgent.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.


The researchers note that the simplest fix for antivirus vendors is to switch from Application Verifier to a newer architecture called Protected Processes:

Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design.

Even though Microsoft made this design available more than 3 years ago.

More technical informations