Security startup Cybellum recently announced a new attack that they’re calling “DoubleAgent”. They’ve labelled this a zero day “attack for taking full control over major antiviruses and next-generation antiviruses”. There’s a lot to unpack here.
When you’re assessing the risk any issue poses it’s always best to clearly define the issue. Let’s start there.
A lightly documented feature included in Microsoft Windows since XP is called Application Verifier. This is a two part feature that is designed to help developers test their applications.
There’s a user interface (available as part of the Windows SDK) and a hook inside windows itself. The hook allows an administrator to load custom privileged code (a verifier) before any registered application by setting a simple registry key.
The intention behind this feature is to allow developers to subject their application to “a variety of stresses and tests” as part of the development and testing process. When used as intended, Application Verifier can help you build stable, more resilient applications.
Developers have been taking advantage of this feature since its inception almost 15 years ago. Creating a custom verifier has been documented before however most developers leverage the default verifier provided by Microsoft.
The security researchers in this case have created their own malicious verifier as a proof of concept (PoC). This enables them to stage the attack they’ve demonstrated on various security products. The target could have just as easily been your browser, your collaboration tools, or almost any other Windows application.
The attack demonstrated by the research team takes this feature and uses it to their own ends. Using administrative privileges, they leverage the Application Verifier feature and take complete control of the installed security tool.
It’s a dramatic—if unlikely—demonstration and would have a significant impact on the target system.
In simple terms, the attackers have;
- <Gained administrative privileges to the target system using another method
- Downloaded and installed their own malware
- Made Windows load their malware before the target application
The result is that their malware has the capability to control the target application if they’ve invested the time to reverse engineer the target application. To manipulate the target application as demonstrated, the malware needs to understand some of the targets inner workings.
While not impossible, this requires a lot of effort. And with administrative credentials in hand, there’s other areas that attackers are more likely to focus on.
DoubleAgent is definitely not a point and click attack.
Evaluating the risk from abused features like this case is always challenging. Because this is an operating system feature, it has the potential to impact almost any application running on the system.
In order to pull off this attack, the attack must have administrator privileges on the target system so they can set the VerifierDlls registry key for the target application.
This requirement means that attackers already have to have a privileged position on the target system. This is not an attack that would be used to gain initial access.
DoubleAgent is an interesting example of a high impact but low probability attack. It needs to be addressed and should be of concern but while keeping in mind its narrow attack vector and technical complexity. Your average cybercriminal is unlikely to be using this attack when there are other more profitable options available.
Microsoft added new functionality—protected services—to Windows 8.1 and Windows Server 2012 to address this type of attack against certain classes of applications like security software. This is one of many self-protection techniques that software can use to ensure that it’s working as expected.
Unfortunately, Windows 7 still dominates with about 48 percent of all Windows installs out there meaning that most users wouldn’t benefit if products invested in the significant architecture change.
The most effective defence against this attack is to work to defend against anyone gaining administrative privileges, monitoring for registry changes specific to VerifierDlls keys, and continuing to scan emails/web traffic for malicious activities.
Microsoft is taking steps to address the issue as evidenced by the new protected services framework. This in combination with other security features in the operating system should help to reduce the potential impact of this attack.
[ Trend Micro is actively investigating this issue and deploying improved self-protection measures for its products where appropriate. For more information please refer to “ Trend Micro Products and the DoubleAgent Security Issue CVE-2017-5565 ” ]