What's new about the "DoubleAgent" attack?

Question

A supposedly new vulnerability is making its way through tech news right now. The original source claims to have discovered a new zero-day vulnerability affecting many antivirus engines and possibly every program on Windows.

However, as far as I can tell:

This requires write privileges on HKEY_LOCAL_MACHINE, which means the attacker must already have administrative privileges.
This appears to be just another method for performing a DLL injection, hardly a new concept - especially if you already have admin privileges!
The (ab)use of Application Verifier custom providers to inject arbitrary DLLs does not appear to be a new concept.

But it's been claimed as a new zero-day, there've been a number of CVEs assigned, and it looks to be taking off in the news. What's different about it? And how can I mitigate it on my systems?

My best guess at the moment is that this is purely a vuln in those antivirus engines and not necessarily a concern for Windows nor other programs as a whole. But with the possibly-exaggerated headlines coming in, I'd like to figure out what the actual significance of this vuln is. — Bob, Mar 22 '17 at 06:44
after looking at both the article from 2014 and the double agent, it seems to me it's the same thing, just tested against popular AV software, and with a good brand on it, though more like a rarely exploited 13 years than a true 0 day. as far as mitigating it, probably not giving admin access to viruses in the first time is probably your best bet. (sandbox every program you install in separate boxes.) — satibel, Mar 22 '17 at 07:27

Aviv · Answer 1 · 2017-03-22T09:46:53.207

It is true that the concept of Application Verifier was already known (though poorly documented) as a verification tool. The thing is that it is the first time that we see attackers using this feature as an injection technique to inject DLLs into trusted processes.

The new concept about this attack is using the Antivirus as a malware. The antivirus is considered a trusted entity on the system and not even an administrator should be allowed to inject a DLL into its process. Doing so gives the attacker the opportunity to stop running away from the antivirus but use the antivirus as an attack vector.

As I said, the feature is poorly documented and no antivirus today mitigate it. Thus combining those facts gives an attacker the power to run on every single windows computer today without being detected and the results can be disastrous (C&C communication, data leaks, new types of ransomwares etc..)

score -1 · Answer 2 · answered Mar 22 '17 at 12:05

this is essentially a hoax ... there are numerous ways to inject code or DLLs into other processes, if you have full admin privileges ... it all comes back to the Ten Immutable Laws Of Security (https://blogs.technet.microsoft.com/rhalbheer/2011/06/16/ten-immutable-laws-of-security-version-2-0/)

What's new about the "DoubleAgent" attack?

2 Answers2