integraONE logo

Tech News Article


11/28/2017

Cylance - New exploit allows malware that’s quarantined in some antivirus programs to still infect computers...



There’s an interesting new exploit being discussed online that deserves some attention: malware that’s quarantined in some antivirus programs can still infect computers, partially due to a quirk in how Windows handles files via NTFS.

Information security auditor Florian Bogner discovered this exploit while conducting penetration testing for some of his clients and named it AVGater.

Bogner lists the affected vendors who have patched the vulnerability here and believes others may also be affected. (Rest assured that Cylance’s product doesn’t have this vulnerability. There, that’s been said.)

Why is the Exploit Specific to Windows Applications?

Unprivileged Windows users can interact with their antivirus application’s UI. They usually may change some of the application’s settings and see warnings related to potential malware. But in order to conduct actions such as monitoring file access or putting suspected malware files into quarantine, the antivirus application must interact with the Windows System level within user mode, which is more privileged. Checking scanned objects for known threat identifiers with signatures, heuristics, or both probably involves the kernel.

There are channels between the unprivileged user, the Windows System, and the kernel and those channels have been shown to be susceptible to privilege escalation with the AVGater exploit. When an object is restored from the antivirus application’s quarantine, that action is carried out by the Windows System privileged user. In Windows, the System can circumvent access control lists.

Anyone with access to a Windows computer can make an NTFS directory junction, otherwise known as a soft link. They’re implemented through reparse points, and can be used to link one folder to another, provided they’re within the same logical drive on the disk. An example of a logical drive in Windows is C, which is the default main HDD partition.

Let’s say a malicious DLL file has been quarantined by the antivirus application. An attacker who exploits the AVGater vulnerability can create an NTFS directory junction from the quarantine location to any other folder within the logical drive. Bogner believes the targeted folder would probably be inside C:\Program Files or C:\Windows, but it doesn’t have to be.

According to Windows’ DLL search order, applications will look for a DLL in the System or Windows folders, including their children, if the DLL can’t be found from a known path or the application’s folder. If the DLL the application finds is malicious, then bingo, you’ve got a cyberattack.

Attack Scenario

Bogner describes the AVGater attack scenario as follows:

A vulnerable antivirus program quarantines a malicious DLL. Then the NTFS directory junction process is exploited to link the malware from the original source path to another folder, usually within C:\Program Files or C:\Windows to maximize the probability of the malicious DLL’s execution.

That NTFS directory junction process is a way to privilege escalate to the System level. The malicious DLL can be written to a folder the unprivileged user doesn’t have access to. Because of the DLL search order, the malware can be executed and then an attacker who doesn’t have administrative access can then take control of the targeted computer.

To protect against the vulnerability, Bogner recommends frequent antivirus software patching, and not giving users in corporate environments the privileges needed to restore files from quarantine. I’d suggest that you can also consider AI-driven antivirus solutions.

For more information, please visit our partner, Cylance.

Back to Top


Yearly Tech News Archive