A New Vulnerability Uses Antivirus To Cause Malware Infection
There was a time when anyone who bought a computer would, as soon as the system has arrived, think of an antivirus. The antivirus, it was thought, was enough to “ward off all evils”. In those days, people wouldn’t even worry about updating their antivirus software regularly. They felt reassured when the antivirus was there, it was as simple as that.
Then, as the internet technology developed, as cyber professionals got smarter, cyber criminals too started developing all kinds of innovative methods to attack computers. All kinds of new, sophisticated malware started pounding systems and networks worldwide. The antivirus software, though it retained its relevance, proved not enough to tackle the new kinds of threats. Today, we have arrived at a stage when anyone can be attacked anytime by cyber criminals. The antivirus is just one of the many weapons that we arm ourselves with, in the constant, never-ending combat with cyber crime.
Cyber criminals, in their never-ending quest for innovation, have today started using anti-malware software to carry out their attacks. Once in a while, we get to read reports of hackers using antivirus software to infect systems with malware. Here’s one such latest report that’s making the rounds now…
Florian Bogner, an Austria-based security auditor, has discovered a new vulnerability that uses antivirus software to carry out malware attack. Dubbed AVGater, this exploit works by taking advantage of the “restore from quarantine” function that’s found on many antivirus solutions. The malware is thus relocated and moved from the quarantine folder to anywhere on the victim’s system, especially on a sensitive location on the system.
Digital Trends reports – “Under normal circumstances, the restore from quarantine function would not allow a non-administrator to write a file to the computer’s C:\Program Files or C:\Windows folders, but this attack takes advantage of Windows’ NTFS function to grant the user access to these folders.” The report further says, “As impressive as this all sounds, there is one major flaw which will drastically limit the scope of this exploit. In order to do any of this, the hacker in question must physically be at the computer they wish to infect. Given that most malware is spread via the internet, it is unlikely that this exploit will cause major problems.”
Florian Bogner, the man who discovered the vulnerability, explains how it all works, in a detailed post on his website – “#AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order:..If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point.”
Well, this is the technical explanation. Bogner also gives a rather plain and simple explanation about the vulnerability – “#AVGater in plain english: By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.”
Bogner has notified companies about the flaw and some of them have already released their fix. As Bogner says, the notable thing about AVGater is that it requires the attacker’s physical presence. Yet he feels that this exploit could turn out to be a big problem for shared computer environments.
Florian Bogner suggests ways to prevent AVGater. He says – “Always install updates in a timely manner. However, as some vendors still need a few more days to release their fix, it may take a little till everyone is protected…Furthermore, as #AVGator can only be exploited if the user is allowed to restore previously quarantined file, I recommend everyone within a corporate environment to block normal users from restoring identified threats.”