Security researchers have recently come across a new proof of concept exploit which attacks antivirus programs. Dubbed AVGater, the exploit has found a way to compromise antivirus quarantines in order to gain full control over the infected device.
The security researcher who disclosed the issue was Florian Bogner from Vienna, Austria. He named the exploit AVGater because, as he says, “every new vulnerability needs its own name and logo.” According to Bogner, AVGater operates by “manipulating the restore process from the virus quarantine.”
“By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.” – shared Bogner in his blog – “By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions.”
Bogner said that he immediately informed Emsisoft, Kaspersky Lab, Trend Micro, Ikarus Security Software, Check Point, and Malwarebytes of the issue and they have all already released patched for their affected products. Since the researcher didn’t specifically mention neither Symantec nor McAfee in his blog post, so far, neither of the two vendors have responded to questions.
Bogner strongly recommends that users keep their antivirus software updated in order to avoid being attacked by AVGater. However, he also added that there are limitations to the exploit.
“As AVGator can only be exploited if the user is allowed to restore previously quarantined files, I recommend everyone within a corporate environment to block normal users from restoring identified threats.” – stated Bogner – “This is wise in any way.”
According to Satya Gupta, the founder and CTO of Virsec Systems, an application threat software company based in San Jose, California, AVGater is proof that attackers have found another way that allows them to manipulate “legitimate processes to launch malicious code or scripts.”
“It’s also another nail in the coffin for conventional signature-based antivirus solutions. We’ve known for a while that fileless and memory-based exploits fly under the radar of most AV systems, but now hackers can use AV tools to essentially disable themselves.” – Gupta said to SearchSecurity – “Hackers are relentless and will inevitably find clever ways to bypass perimeter security. The battle has to move to protecting the integrity of applications for process and memory exploits.”
