Cybellum says the DoubleAgent attack is also capable of compromising other antivirus products. The method works by manipulating the Microsoft Application Verifier, a runtime verification system that functions to detect bugs and boost the security of third-party Windows programs. The tool is included in Windows XP through to Windows 10.

How DoubleAgent works

Cybellum explained the way DoubleAgent works: The problem doesn’t lie within Windows but rather in the security vendors who offer the antivirus products. Cybellum claims DoubleAgent can be used to attack organizations that use the susceptible antivirus programs. Malwarebytes, AVG, and Trend Micro are some of the vendors that fixed the issue for their respective products. Windows Defender seems to be the only antivirus product that’s immune to DoubleAgent due to its use of a Windows mechanism called Protected Processes. The mechanism secures anti-malware services that run in user mode.

Mitigation

Microsoft offers Protected Processes as a way to allow trusted, signed code load. Therefore, attackers cannot use DoubleAgent against the antivirus even if an attacker finds a new zero-day technique as its code. A proof-of-concept attack code is now available on GitHub, courtesy of Cybellum.

Name * Email * Commenting as . Not you? Save information for future comments
Comment

Δ