Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Does DoubleAgent Turn Antivirus Into Malware? We Are Calling BS On That.

    DoubleAgent zero-day antivirus attackIt was all over the press. Initially reported by Bleepingcomputer and picked up by sites like Endgadget, they all went gaga over a new technique that allows the bad guys to take over your computer by "turning your antivirus into malware." Here is an example snippet:

    "Security researchers from Cybellum have discovered another technique cyber criminals can use to take over your computer. The zero-day attack called DoubleAgent exploits Microsoft's Application Verifier tool, which developers use to detect and fix bugs in their apps.

    Developers have to load a DLL into their applications to check them, and Cybellum's researchers found that hackers can use the tool to inject their own DLLs instead of the one Microsoft provides. In fact, the team proved that the technique can be used to hijack anti-virus applications and turn them into malware.

    The corrupted app can then be used to take control of computers running any version of Windows from XP to the latest release of Windows 10."

    And then they tested some AV apps and sure enough a bunch of them could be exploited this way, but any app on the machine could be treated that way. Some AV companies issued patches and said they had fixed the problem. Some news sites even had a video showing how DoubleAgent "can turn an anti-virus app into a ransomware that encrypts files until you pay up." Yeah, sure.

    We're Calling BS

    The non-technical press is missing that you need to make registry changes and have admin access to the machine to begin with, so this whole code injection technique is cute, but nothing to write home about. The bad guy already owns the machine! This story is only about using Application Verifier in a post-breach situation. 

    The only AV company that stood their ground was Symantec and they said the right thing:

    "After investigating this issue we confirmed that this PoC does not exploit a product vulnerability within Norton Security. It is an attempt to bypass an installed security product and would require physical access to the machine and admin privileges to be successful. We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."

    Good for you Symantec.

     

    Return To KnowBe4 Security Blog

    Topics: Cybercrime

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews