A flaw in the antivirus quarantine system could put millions of users worldwide at risk. The AVGater vulnerability, discovered by Austrian expert Florian Bogner, exploits the functions of security software to grant administrator privileges to hackers who want to break into the victim’s computer.
E-mail with leaked personal data is used for extortion
To date, the problem has been identified in 13 known antiviruses. Among them are solutions from Kaspersky, Malwarebytes, Trend Micro, Emsisoft, Ikarus and ZoneAlarm, which have already received patch updates. The names of the other affected software are kept secret to prevent mass attacks. Understand how the attack works and how to protect yourself.
Security flaw – Photo: Reproduction / brandprotect
Bogner is a hacker white hat (who is not a criminal) hired by large companies to find flaws in corporate networks. In one of his works, he found a way to bypass the action of antivirus software and use it in favor of the attacker. The attack involves a combination of Windows functions and file quarantine and file restoration features found in security software.
By exploiting the loophole, a malicious hacker can use the antivirus restoration system to gain complete control of the user’s computer. In just a few steps, a criminal can gain administrator access through the security software itself.
«AVGater can be used to restore a previously quarantined file to any arbitrary location on the file system. This is possible because the restoration process is performed by the antivirus using a privileged Windows mode,» says Bogner.
Organizations are often more difficult to hack because of the restrictions that the IT department imposes on users’ computers. However, the expert’s discovery allows hackers to gain administrator privileges using antivirus installed on PCs with limited network access.
The first step of the attack is to infect the victim’s computer with malware designed to be caught by the antivirus. Once inside the quarantine, a hacker can exploit the vulnerability to bypass the protection software and make the restoration system more flexible. The restore function is normally used to recover files removed by mistake, but in this case, it can serve to get the malicious code back into action.
Once the antivirus restoration system is triggered, the scam activates a stress mechanism in the Windows NTFS file system to manipulate the location to which the malware will be relocated. Rather than retrieving the file to its source – which would allow new antivirus action to be quarantined – the criminal can move the threat to a directory of his choice, such as Program Files.
Windows then reads the malware differently, treating it as a component of the system. At this point, the malware gains a free pass to perform its actions with administrator privileges, giving the hacker deep access to the computer. In the case of companies, the technique allows the attacker to break into a PC with restricted access and, in a short time, gain control of the entire network.
The problem occurs because antivirus software has access to all locations on the system to search for threats. Such programs are divided into two sectors: one with which the user interacts and the other restricted to the system, inaccessible to those who do not have administrator permissions on the PC. The vulnerability discovered by the expert lies precisely in bridging the gap between these two antivirus fronts, paving the way for hackers who know how to exploit it.
“In the context of the non-privileged user, there is only the antivirus user interface. By itself, it has no real power, because it is being executed within a limited session. However, when talking to the Windows antivirus service, it is possible to do many things that a normal user could not, ”explains the expert.
Despite the recurring mention of Windows, Bogner guarantees that the flaw occurs only in antivirus. Apparently, there is no discussion of a possible vulnerability in the Microsoft system.
Attack goes through the antivirus quarantine – Photo: Reproduction / Florian Bogner
The only measure that users can take to protect themselves from failure is to keep their antivirus up to date. The specialist who discovered the vulnerability has secretly informed companies whose software has been affected. Gradually, they are releasing corrections. Kaspersky, Malwarebytes, Trend Micro, Emisoft, Ikaru and ZoneAlarm were the first. However, there are still at least seven other antiviruses with critical updates pending for the next few days.
It is not the first time that a serious vulnerability has hit antivirus programs. In 2005, during the Blackhat hacker conference, experts already warned of flaws in products developed by Symantec, McAfee, Trend Micro and F-Secure. In another type event two years later, CA eTrust antivirus, Norman, Panda, ESET, F-Secure, Avira and Avast were said to be unsafe.
In November 2016, one of the engineers responsible for the security of Google Chrome even published on Twitter that «antivirus is a major deterrent to the launch of a secure browser».
Google engineer warned about antivirus problems – Photo: Reproduction / Twitter
Via Bogner.sh and Arstechnica
