A zero-day attack named Double Agent has been discovered that exploits a 15-year-old feature in Windows from XP through Windows 10. The attack has the ability to take over antivirus software on machines running Windows and turns them into a weaponized Trojan capable of attacking the very system it was designed to protect.
How Does Double Agent Work?
Double Agent exploits a legitimate tool of Windows called ‘Microsoft Application Verifier’ which is used to discover and fix bugs in applications. The attack begins when a hacker injects code into the antivirus running on a Windows machine, exploiting a zero-day vulnerability. Once a zero-day vulnerability is exploited, the attacker has full control of the application. Application Verifier was created to strengthen application security by discovering and fixing bugs. However, Double Agent uses this feature to perform its malicious operations.
Normally, hackers would go to extreme lengths to hide and avoid the antivirus running on a machine. With Double Agent, the hacker can take full control of the antivirus and do as he pleases without the fear of being caught or blocked. Double Agent has five known attack vectors that he can use against the victim.
Double Agent Isn’t Going Anywhere
All major vendors of antivirus software have been notified of the zero-day vulnerability. However, the vulnerability lies within an application offered by Microsoft, who can’t find a way to patch it. For the software developers to stop Double Agent, they will have to block Application Verifier from running on the machine. What’s most difficult about Double Agent is if a hacker exploits the application and gains control over the antivirus, there is no way to detect that they are in there. Why would they be so hard to detect? Antivirus software is designed to stop viruses or malware from infiltrating your computer or network. However, there is no other security measure that checks whether an antivirus has been infiltrated. Everything the antivirus does will appear legitimate, allowing hackers and their attack vectors to bypass any security product that you or your organization may have.
Cyber criminals are always evolving and finding new ways to create cyber attacks. As shown here, and with several other attacks, blindly trusting traditional security measures isn’t enough anymore. Double Agent is going to be around for months or even years, and while it hasn’t been seen in the wild yet, now that hackers are aware of the zero-day vulnerability, we will surely see users or even large organizations fall victim to the vulnerability.