During Black Hat Europe 2022, a computer security researcher proved that it was possible to hijack the main antiviruses on the market to transform them into wipers, malware capable of erasing legitimate files on targeted PCs.
Conferences are held each year black-hatwhich bring together many experts in computer security, from government agencies, specialized companies, not to mention the most respected hackers in the field.
The European edition of 2022, held in London from December 5 to 8, was an opportunity to highlight a proof of concept (proof of concept or POC) quite amazing. Indeed, Or Yair, a computer security researcher from SafeBreach, demonstrated how it was possible to hijack anti-virus solutions to erase or permanently delete legitimate files on your PC.
As you may know, Avast, Microsot Defender or even AVG have in common that they can automatically delete or quarantine files identified as malicious. It is precisely on this very principle that the flaw exploited by Or Yair is based. The goal is simple: trick your antivirus into deleting a legitimate file instead of a corrupt document.
Also to read : Security – these hackers exploited a critical flaw in Internet Explorer to deploy malware
Push antivirus to delete legitimate files
To do this, the researcher will aim for a mechanism that is not subject to obtaining privileges: the junctions. Via TOCTOU (Time-of-check to Time-of-use) type attacks, the hacker will seek to intercalate between the steps of detecting and deleting the file.
Here is a simple example:
- the hacker wants to delete a driver located in the folder /Windows/Systems32/Drivers
- It copies this folder, but in /temp (editable without privileges)
- In this folder, the hacker created a malicious file with the same name as the driver
- After the antivirus detects the file, but just before it is deleted, the hacker removes it from /temp before setting up a junction to the original folder
- The driver is then erased instead of the malicious file
6 out of 11 antivirus vulnerable to this flaw
However, as Or Yair explains, antiviruses tend to prevent the deletion of a malicious file after it has been created. To circumvent this mechanism, he conditioned the delete operation on a reboot. Indeed, antiviruses keep a list of files to delete after a reboot. And importantly, they also deal with junctions. That’s it.
According to the researcher, out of eleven software tested, six were vulnerable, among Defender, Defender for Endpoint, SentinelOne EDR, Trend Micro Apex One, Avast Antivirus and AVG Antivirus. Please note that these vulnerabilities have been fixed since they were reported in the summer of 2022 by Microsoft, Trend Micro, Avast and AVG.
Source: Silicon