New vulnerability uses antivirus software to infect systems with malware

By midian182 ยท 7 replies
Nov 12, 2017 at 2:07 PM
Post New Reply
  1. Antivirus programs are supposed to keep us safe from all that malware floating around online, but devious hackers have been known to utilize the software for malicious purposes. The latest example of this practice involves using the “restore from quarantine” feature and has been discovered in multiple AV solutions.

    Austria-based security auditor Florian Bogner discovered the vulnerability and dubbed it AVGater. It essentially works by relocating malware from an AV quarantine folder to a sensitive location on a victim’s system.

    Bogner, who works for Kapsch, says he has notified the vendors of all the antivirus programs that contained the flaw. Some of the companies have released updates that address the issue, including Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and ZoneAlarm

    While penetration testing, Bognor infected clients’ PCs using a traditional phishing e-mail technique. The malware would then get quarantined by the AV program, and he would exploit vulnerabilities in the software that allowed unprivileged users to restore the quarantined files. Abusing a windows feature called NTFS file junction point allowed him to relay the file to a privileged directory of his choosing, such as a folder within C:\Program Files or C:\Windows. The method also abuses the Dynamic Link Library search order feature. The malware could then run with full privileges.

    The most significant limitation of AVGater is that it requires attackers to have physical access to a machine, but this could still be a big problem for shared computer environments.

    Bogner says the best way to prevent being affected by AVGater is to keep your antivirus programs up to date, which is always good advice. For enterprises users, he suggests removing the ability to restore files from quarantine.

    Permalink to story.

     
    holdum323 likes this.
  2. holdum323

    holdum323 TS Enthusiast Posts: 397   +35

    Hi Good stuff. Thank you!
     
  3. jobeard

    jobeard TS Ambassador Posts: 10,835   +895

    Limitations
    Neither the Windows NT startup process nor the Windows Vista startup process support Junction points, so it's impossible to redirect certain system folders:

    • folder containing hiberfil.sys (if it's configured to be outside root directory)
    • \Windows
    • \Windows\System32
    • \Windows\Config
    However it is possible to redirect non-critical folders:

    • \Users
    • \Documents and Settings
    • \Program Files
    • \Program Files (x86)
    Creating junctions for \Users and \ProgramData pointing to another drive is not recommended as it breaks updates and Windows Store Apps.[8]

    Creating junctions for \Users, \ProgramData, "\Program Files" or "\Program Files (x86)" pointing to other locations breaks installation resp. upgrade of Windows.[9]

    Creating junctions for "\Program Files" or "\Program Files (x86)" pointing to another drive breaks Windows' Component Based Servicing which hardlinks files from its repository \Windows\SxS to their installation directory.[citation needed]
     
    Reehahs and Lionvibez like this.
  4. J0nnyf1v3

    J0nnyf1v3 TS Rookie

    This is not nearly as bad as what I caught... Free online-install versions of Avast, MalwareBytes,AVG,Windows Defender,and Windows 10 updates being infected via DLL hollowing, heap spraying to force writing of mal-mutex into core system processes, and seperate, resigned core AV files dropped via use of NanoServer as a DNS poison/spoof tool. Defender updates were dropping malware infected Groove on a LTSB installation in my beehive, which should never have Groove at all....

    But the AV malware-real attacks-in particular, hooked kernel deep due to the certs and hollowing, and I extracted raw IP's from the individual hooks. I even captured a connection using a proprietary port literally nothing else is known to use besides The Fins. The port was actually registered to an Isreali Intelligence Director that recently moved to the US and is Co-CEO of a company that specializes in embedded device tracking.... He used his work email to register the port...........

    Free AV and poisoning Linux repo's is the popular way of infection I am noticing...

    And yes, Linux is bad, too... Unless you harden your kernel, and especially if you run PlayOnLinux or Wine(esp wine64 believe it or not), you are open to attack... Mix in the Broadcom vulns and the fact you can get a firmware customizer FOR broadcom firmware from the repo, you can find yourself a victim of network mirroring, I call it. Where you will boot to a copy of your file system via dbus... And also having your keychains put against a rainbow table care of AWS Redshift and a redsocks vulnerability.

    Things today take a mind to follow the seemingly insane and impossible... If you push through the 48 hour hump - because it takes about 60 straight hours to find the deep stuff... you will be rewarded with a collection of hashes that would make eSet hard with....kernels, and Envy. I honestly lost count of zerodays in Windows 10, especially with the release of PS to open source.

    Audit code...sure...

    And also gives the ability for more fluid integration of target with attacking machine, including loading of windows drivers onto Linux, namely wireless,IR, and BT.

    And also gives nation states a way to manipulate the windows kernel to flip those switches you took the time to turn off during install,back on without notice.

    Good job...

    I have literally sandboxed every file from the above mentioned software packages... The Linux processes I have done manually with Grant, DStep, Atom,UndoDB,Kcreate,DUMA,DBGinit,or on a chrooted (not just rooted) install of Linux on Android, as most attacks flow the flavors as long as you don't mix Fedora and Ubuntu commands, and in the same hand, Android Sandboxes can be used to fill the void of Malwr.com-esq sites for Linux testing.

    Outside the box....literally.....
     
  5. J0nnyf1v3

    J0nnyf1v3 TS Rookie

    But with Windows 10, one could infect system files by traversing programdata and appdata dirs. Especially installs of Defender, which can span critical and non-critical folders... Right?

    And mixed with other vulnerabilities like old installs of IE, one could abuse Mount points outside of a sandbox, and run code. Correct? While this alone isn't a huge attack, it is a valuable tool to gain in-sight persistence.
     
  6. wiyosaya

    wiyosaya TS Evangelist Posts: 1,734   +643

    Our corporate anti-virus program has incorrectly identified programs as viruses (even some of the software that we write because of its behavior) and moved them to quarantine. If we were unable to restore programs from quarantine, we would never get any work done due to the need to call IT every time we encountered an incorrect identification.

    Virus programs are far from perfect in their identification of viruses. If they were, I could see that the suggestion of not allowing anyone to restore a program from quarantine would be a good idea. However, a global policy of not allowing restores from quarantine would be unworkable for us. I can see not allowing restores from quarantine on certain systems where people never write programs or some similar situation. AV makers and M$ should fix the vulnerability instead of passing it off to the incorrect assumption that everything an AV program identifies as a virus is a virus no matter what.

    Sometimes I think these "experts" should be required to pass stringent licensing exams to operate in a field such as this. IMO, the suggestion of not allowing restores from quarantine is simply lame.
     
  7. jobeard

    jobeard TS Ambassador Posts: 10,835   +895

    Your point is well taken. Today there is far too much "one size fits all" design and the needs of users has become moot (eg: win/10 foists a cellphone GUI onto a desktop user). The BIG issue imo is the difference between commercial vs personal usage. One example where the needs are still fundamental to the implementation is the Firewall - - where we have Domain vs Private vs Public networks.

    Also consider that periodic scanning for infections is lame in the first place. Sure it's a last resort, but a better choice would have been to expend time+energy in proactive tools to avoid the infections in the first place. Tools which scan email attachments are available and EFFECTIVE (sure wish I could scan the ^$&^ user to stop phishing exposures).

    We use to use Intrusion Detection Systems to find files modified outside scheduled maintenance or configuration changes - - but it takes a very strict discipline to know what is approved vs unapproved.
     
  8. commanderasus

    commanderasus TS Booster Posts: 170   +64

    This works the same way Windows 10 update does
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...