The threat stems from a newly discovered zero-day flaw in Microsoft Corp’s operating system that could enable hackers to avoid most conventional methods of combating malware. Cybellum detailed in a blog post that the issue lies with Application Verifier, a mechanism employed by Windows to identify applications suffering from security flaws. The tool’s weakness is the way in which it looks for vulnerabilities.
Under normal circumstances, Application Verifier attaches a DLL file to every program that looks for misuse of memory resources and other potential indicators of foul play. DoubleAgent, as Cybellum has named the exploit, allows hackers to replace the file with malware.
The access rights that are afforded to Application Verifier because it’s part of Windows allow hackers to carry out a wide range of attacks with little risk of detection. Cybellum says that DoubleAgent can be exploited to steal data from a program, alter its behavior and infect other software among others. Worse, the DLL files used by the mechanism are permanently stored in the part of Windows responsible for launching programs, which means infections can’t be cleared by reinstalling a compromised application.
Cybellum claims to DoubleAgent may be exploited to breach “any” Windows software, but the risk to antivirus offerings is particularly severe given their vital role in upholding security and the increased likelihood of attackers trying to target them. The internal safeguards that most threat detection tools employ to block hacking attempts did little to mitigate the exploit in the startup’s tests. According to its blog post, its researchers found 14 popular antivirus programs to be vulnerable.
Cybellum CEO Slava Bronfman told Network World that only AVG and Malwarebytes have patched their respective offerings so far, but the rest of the market will no doubt follow suit given the severity of the threat. Microsoft can be expected to issue a patch as well seeing that the fault is ultimately in Windows. In the meantime, users of the company’s operating system should probably take extra care to avoid suspicious sites and risky downloads.