Double Agent: The Zero-Day That Could Last for Months

Jordan Kadlec

A zero-day attack named Double Agent has been discovered that exploits a 15-year-old feature in Windows from XP through Windows 10. The attack has the ability to take over antivirus software on machines running Windows and turns them into a weaponized Trojan capable of attacking the very system it was designed to protect. 

DoubleAgent.jpg

How Does Double Agent Work?

Double Agent exploits a legitimate tool of Windows called ‘Microsoft Application Verifier’ which is used to discover and fix bugs in applications. The attack begins when a hacker injects code into the antivirus running on a Windows machine, exploiting a zero-day vulnerability. Once a zero-day vulnerability is exploited, the attacker has full control of the application. Application Verifier was created to strengthen application security by discovering and fixing bugs. However, Double Agent uses this feature to perform its malicious operations.

Ransomware Decryptors

Normally, hackers would go to extreme lengths to hide and avoid the antivirus running on a machine. With Double Agent, the hacker can take full control of the antivirus and do as he pleases without the fear of being caught or blocked. Double Agent has five known attack vectors that he can use against the victim.

  • Turn the Antivirus into a Malware – By having full control over the antivirus, any malicious operation can be performed because it appears This gives the attacker the ability to bypass all security products on the machine.
  • Modify the Antivirus Internal Behavior – The hacker has the ability to change the antivirus whitelists or blacklists, internal logic, and even install backdoors. This makes the antivirus appear to be working as normal when it is actually completely useless, giving the hacker access to execute malware that would normally be blocked.
  • Host Takeover – Double Agent can use the antivirus to strengthen its foothold on the system. Practically any other software on the system can now be infected and turned into slave software, which can be used to further carry out the attack.
  • Destroy the Machine – By compromising the antivirus, the hacker has complete control over the machine. This allows them to easily encrypt all files or completely reformat the hard drives.
  • Software Ransoming – Double Agent is so powerful it deserves a new category of attack: Software Ransoming. Because the attacker controls the antivirus, he may sign a legitimate and critical application, spread the infection throughout the network, and turn off the critical application. Double Agent embeds so deeply into the system that re-installing the software won’t do any good. The only way to remove the infection would be to reload every computer from scratch or pay the ransom to turn the software back on.

Double Agent Isn’t Going Anywhere

All major vendors of antivirus software have been notified of the zero-day vulnerability. However, the vulnerability lies within an application offered by Microsoft, who can’t find a way to patch it. For the software developers to stop Double Agent, they will have to block Application Verifier from running on the machine. What’s most difficult about Double Agent is if a hacker exploits the application and gains control over the antivirus, there is no way to detect that they are in there. Why would they be so hard to detect? Antivirus software is designed to stop viruses or malware from infiltrating your computer or network. However, there is no other security measure that checks whether an antivirus has been infiltrated. Everything the antivirus does will appear legitimate, allowing hackers and their attack vectors to bypass any security product that you or your organization may have.

New Call-to-action

Cyber criminals are always evolving and finding new ways to create cyber attacks. As shown here, and with several other attacks, blindly trusting traditional security measures isn’t enough anymore. Double Agent is going to be around for months or even years, and while it hasn’t been seen in the wild yet, now that hackers are aware of the zero-day vulnerability, we will surely see users or even large organizations fall victim to the vulnerability.

Share this: