DoubleAgent: Taking Full Control Over Your Antivirus

Discussion in 'other anti-malware software' started by Mister X, Mar 22, 2017.

  1. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,458
    Location:
    Mexico
    https://cybellum.com/doubleagent-taking-full-control-antivirus/
     
  2. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,147
    The Mitigation is to start the Antivirus as a Protected Process:
    For example users of Process Logger Service can search the logfiles for "Protected Process: True" to find out what process was being started as a Protected Process.

    According to the above report #1, Windows Defender is the only Antivirus which is being started as a Protected Process:
    More information about Protected Processes:
     
  3. illicit

    illicit Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    96
    This has been a known problem (potential problem) for some time now. I always get a little heartburn when I see those on here recommending people to stick with just one security suite or AV and boldly claim they will be protected. Antivirus software operates at elevated permissions, and like most other software, is not immune to its own vulnerabilities. Not a good combination. IMO, you should ALWAYS have at least one complimentary product (VoodooShield, AppGuard, NVT ERP, HMPA etc) to "watch the watcher" and have a good set of backups.
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,148
    Mood are you just using notepad to view log files and edit the config file? Otherwise what program are you using to do a search in the log file? It is kind of a pain to just use notepad.
    Currently I just use the find button in the edit tab for protected process: true
    And on my system out of all my security software, the only is Windows Defender.
     
  5. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    983
    Location:
    Québec, Canada
    Is MSE ok too?
    Or just W10's Defender?
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,291
    Location:
    U.S.A.
    Appears the author didn't do his research properly. Eset does run as a Level 0 protected process. The same level as System.

    Eset_Protected.png
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,291
    Location:
    U.S.A.
    However, this article does explain how another AV I had used in the past was able to be hacked.

    -EDIT- And this technique is exactly what the malware did; it registered a .dll in the registry. The sucker was also packed and encrypted so no other security scanner could detect it by sig..
     
    Last edited: Mar 22, 2017
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,291
    Location:
    U.S.A.
    I would open up these solutions in Process Explorer as I did for Eset in reply #6 and validate they are running at Level 0 as a protected process.
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,495
    Location:
    .
    http://www.networkworld.com/article...t-attack-can-turn-antivirus-into-malware.html
     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,740
    Thanks itman !

    PS:
    As far as I know the ESET ELAM driver is C:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\eelam\eelam.sys
     
  11. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,458
    Location:
    Mexico
    Searching for psproctectedsignerantimalware not yields anything.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,291
    Location:
    U.S.A.
    Correct.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,291
    Location:
    U.S.A.
    In regards to which product?
     
  14. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,458
    Location:
    Mexico
    Last edited: Mar 22, 2017
  15. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,458
    Location:
    Mexico
    AppGuardAgent.exe, ERPSvc.exe and none of Sandboxie's components are protected that way: psproctectedsignerantimalware

    In fact their protection is 0. All of them.

     
    Last edited: Mar 23, 2017
  16. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,458
    Location:
    Mexico
    These are the only protected (PsProtectedSignerWin) processes in my Win8.1:
    audiodg.exe
    csrss.exe
    services.exe
    smss.exe
    System

    Protected Services.png
     
  17. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,458
    Location:
    Mexico
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,971
    Location:
    Toronto, Canada
  19. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,147
    It can also be seen in Process Hacker after looking into the file properties: "Protection: Yes"
    I'm not aware of other locations to see this information. There is no "Protection"-tab like in Process Explorer or something similar.
    ProcessHacker_Protected-Process.png
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,971
    Location:
    Toronto, Canada
    Alex Ionescu (https://twitter.com/aionescu) is calling BS on this Cybellum startup. He's rather worked up on this, it seems.

    Link: https://twitter.com/aionescu/status/844585650238107648

    Link: https://twitter.com/aionescu/status/844586085753675777

    Link: https://twitter.com/aionescu/status/844587195356725248

    And more...
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    You can use Registry Guard Service, here is the link:
    http://www.novirusthanks.org/products/registry-guard-service/

    To prevent your IFEO key from being abused, example rules:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*] [%VAL%: VerifierDlls]
    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*] [%VAL%: VerifierDlls]
    
     
  22. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,458
    Location:
    Mexico
    Thank you. Problem I see is the one under this warning:
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,291
    Location:
    U.S.A.
    You also don't need any Microsoft tool to hack most security software:
    Ref.: https://breakdev.org/defeating-antivirus-real-time-protection-from-the-inside/
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,639
    Location:
    Europe then Asia
    Not an issue for Appguard. if something dare to tamper with it, AG lock the system ; no new processes will be able to run.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,291
    Location:
    U.S.A.
    A few other clarification points.

    The Microsoft ELAM driver is only available on Win 8.1 and 10 if that point wasn't obvious. I also believe it wasn't fully functional till release 1607. So this is an explanation but not excuse why most AV vendors are not using it and relying on other self-protection methods. It also means that AV products running on non-Win 10 OSes such as Eset must rely on other means of self-protection. Finally, the power employed through the ELAM driver is not so much that it allows the AV vendor kernel process to run in protected mode but that it allows that process to be loaded into the OS kernel giving it all the protection that status allows.

    There is an ongoing discussion between Cybellum and Eset here: https://forum.eset.com/topic/11394-zero-day-exploit/ . Cybellum appears to be "pulling out all stops" in its assertions about AV vendor vulnerabilities beyond the scope of its published Microsoft tool exploit. Whereas those might or might not be relevant to security software vulnerabilities, they are not so in the scope of their published report. That is the Microsoft tool requires admin privileges to implement the exploit.
     
    Last edited: Mar 23, 2017
Loading...