► In what form is it?
The vulnerability is in a 15-year-old function called “Application Verifier”.
This Windows tool loads DLLs as processes to enable developers to test them quickly and to identify any development errors.
However by creating a registry key with the same name as the application it wants to hijack, the attacker can inject its own custom DLL into any legitimate process and take total control of the machine. It can, among other things, install a backdoor or malware, hijack permissions, take control of the sessions of other users...etc.
To demonstrate the severity of the security vulnerability identified, the researchers have managed to inject code into antivirus softwares and corrupt them so that they behave like ransmonware and also start to encrypt the files on the computer’s hard drive.
They could just as easily have used it to disable these antivirus softwares, or make them “blind” to viruses, carry out DDoS attacks, use them as proxies to launch attacks on the local network, deploy malicious code in them or use them to steal data.
Note that the demonstration could have been made using any program, including Windows itself!
14 virus protection publishers were notified over 90 days ago to provide useful patches to plug the vulnerability:
- Trend Micro
- Quick Heal
To our knowledge, only AVG, Kaspersky, Trend Micro and Malwarebytes have made the necessary corrections to date.
> Why is this worrying?
The vulnerability revealed by Cybellum is now public and the codes to exploit it are available to the cyber-criminal community.
Most anti-virus publishers are taking their time in making patches available.
Although currently no attack and no damage exploiting this vulnerability have been recorded, it is a safe bet that the situation will deteriorate quickly.
We expect an initial cyber-criminal wave in the coming days given the simplicity of the engineering needed to carry it out.
► How can you protect yourself?
If your anti-virus software has been patched, carry out an update without delay!
If the publisher of your anti-virus has not yet solved the problem and patched its software, there is nothing you can do.
In all cases, ensure you regularly backup your servers and workstations and keep at least three file versions.
► What should you do if attacked?
- If you believe your workstation is infected (Notepad or Word error when you try to open an attachment, antivirus alert, sluggish system or unusual behaviour), immediately switch off your PC and disconnect it from the network.
- Perform a full restore of your workstation (system image and data), from a known good back-up (version prior to the virus infection date).
- Change your workstation’s password, choosing a password containing at least 8 characters (letters, numbers and special characters).
Notify the relevant authorities. Not only will this help to determine the scale of the damage caused, but it will also protect you from potential liability if you are prosecuted by a third party.
You should also report the matter to the police, ideally at the police station in the town or city where the crime was committed. This report will be used as evidence if you are subsequently pursued for damages.
> Have you suffered a cyberattack or are you unsure about the reliability of your back-up system?