Security Products Are No Match For The Double Agent

Schtask

Limp Gawd
Joined
Nov 29, 2011
Messages
436
Security researchers at Cybellum have identified a Zero-Day attack that grants full control over many Antivirus solutions on the market today. Born from the ashes of a 15 year old Microsoft tool, Cybellum has named this attack "Double Agent". Double Agent uses Microsoft's fairly ancient "MS Application Verifier" to infiltrate it's victims like a facehugger egg in an Easter basket.
 
Last edited:
Not sure why.. but this made me laugh.
What is Psychosis?
Psychosis refers to a loss of contact with reality, in which people have trouble distinguishing between what is real and what is not. When this occurs, it is called a psychotic episode.
 
  • Like
Reactions: dgz
like this
What is Psychosis?
Psychosis refers to a loss of contact with reality, in which people have trouble distinguishing between what is real and what is not. When this occurs, it is called a psychotic episode.

I think I just find it funny that a part of Windows itself can be used against the users of Windows.

Then again, it is super easy to write stuff that will do that and is undetectable by scanners. You just don't do anything that looks suspicious.. and pretty much all home users are using admin accounts, with a lot of them turning UAC off. And then you can do whatever you want very easily without the user ever suspecting a thing until it is too late.

And no, I don't do this. I just had a program I had to write quite a while ago and it became quite apparent to me as to exactly how insecure Windows is.
 
I think I just find it funny that a part of Windows itself can be used against the users of Windows.

Then again, it is super easy to write stuff that will do that and is undetectable by scanners. You just don't do anything that looks suspicious.. and pretty much all home users are using admin accounts, with a lot of them turning UAC off. And then you can do whatever you want very easily without the user ever suspecting a thing until it is too late.

And no, I don't do this. I just had a program I had to write quite a while ago and it became quite apparent to me as to exactly how insecure Windows is.

People who turn off UAC are too stupid to own a computer, and should have it confiscated for their own protection. Proper user and permissions management (borrowed from *nix of course) is IMHO one of the few things Microsoft has done right in the last 10 years. As big of, if not more so, of an advance as protected memory was in XP (the first consumer Microsoft OS to introduce the feature)
 
Last edited:
Malware can defeat signature based AV just by XORing a pointer when it's compiled. Hashes change and it becomes a zero day. Even behavioral based AV gets stymied by meta-morphic worms.
 
People who turn off UAC are too stupid to own a computer, and should have it confiscated for their own protection. Proper user and permissions management (borrowed from *nix of course) is IMHO one of the few things Microsoft has done right in the last 10 years. As big of, if not more so, of an advance as protected memory was in XP (the first consumer Microsoft OS to introduce the feature)

Tell that to the makers of my POS software. One of the requirements to run it is to TURN OFF UAC. Program won't properly update every couple weeks with UAC on.
 
So yeah this requires already having admin privileges to run the exploit. :rolleyes:

Maybe I should I start my own blog and breathlessly report how every version of windows has an unpatchable exploit that lets you create a backdoor account if you already have admin privileges.
 
So yeah this requires already having admin privileges to run the exploit. :rolleyes:

Maybe I should I start my own blog and breathlessly report how every version of windows has an unpatchable exploit that lets you create a backdoor account if you already have admin privileges.

Whitepaper much?

"DoubleAgent can exploit:
Every Windows version (Windows XP to Windows 10)
Every Windows architecture (x86 and x64)
Every Windows user (SYSTEM/Adminetc.)Every target process, including privileged processes (OS/Antivirus/etc.)

DoubleAgent exploits a 15 years old undocumented legitimate feature of Windows and therefore cannot be patched."
 
Last edited:
Well, I hope this is a flag for them to come up with a quick resolution to this.
 
Tell that to the makers of my POS software. One of the requirements to run it is to TURN OFF UAC. Program won't properly update every couple weeks with UAC on.

That is why you need a program/launcher for that program that will run it in admin mode.

Sounds like you need to switch to a different POS.
 
That is why you need a program/launcher for that program that will run it in admin mode.

Sounds like you need to switch to a different POS.

Unfortunately you don't' always have an alternative to switch to. We also run our users as local admins on their machine because of various software packages requiring it. Having someone not being a local admin may cut down on risk but it isn't a catchall.
 
People who turn off UAC are too stupid to own a computer, and should have it confiscated for their own protection. Proper user and permissions management (borrowed from *nix of course) is IMHO one of the few things Microsoft has done right in the last 10 years. As big of, if not more so, of an advance as protected memory was in XP (the first consumer Microsoft OS to introduce the feature)

It seems you never worked in an IT dept that support 6000 Windows based computers which your tasked to deploy software and maintain. Yes, I have worked around UAC. Thankfully, a program called elevate.exe for batch files and scripts has helped. Combined with the use of an appliance called KACE to deploy said software ends up making my life a bit easier.

UAC is designed to prevent Administrators from automatically having admin privileges all the time. Since most home users are local ADMINS they see these popups and tend to override by clicking yes or OK. I think MS should of focused UAC to domain admins so they/we can run in standard mode and elevate when needed. Create something different for home users.*Most* home users do not care or have an understanding of UAC and will google how to shut it off or blindly just click ok at each prompt.

Calling people who turn off UAC "are too stupid and should have their computers confiscated" is rather short sighted. Not every environment is a home-consumer one. UAC has its place and it should be viewed as a tool not a computer condom.
 
KACE is cool. CyberArk and application white listing helps immensely when the end user can't be trusted.
 
It seems you never worked in an IT dept that support 6000 Windows based computers which your tasked to deploy software and maintain. Yes, I have worked around UAC. Thankfully, a program called elevate.exe for batch files and scripts has helped. Combined with the use of an appliance called KACE to deploy said software ends up making my life a bit easier.

UAC is designed to prevent Administrators from automatically having admin privileges all the time. Since most home users are local ADMINS they see these popups and tend to override by clicking yes or OK. I think MS should of focused UAC to domain admins so they/we can run in standard mode and elevate when needed. Create something different for home users.*Most* home users do not care or have an understanding of UAC and will google how to shut it off or blindly just click ok at each prompt.

Calling people who turn off UAC "are too stupid and should have their computers confiscated" is rather short sighted. Not every environment is a home-consumer one. UAC has its place and it should be viewed as a tool not a computer condom.


Every Enterprise environment I have worked in, the IT department administers local machines through screen sharing, and providing admin credentials to UAC only when needed. It might be a pain in the butt, but I still see disabling UAC as a major security risk, and highly irresponsible.
 
Well, I hope this is a flag for them to come up with a quick resolution to this.

If I have understood the issue properly (and I may not have) this is a fundamental flaw in the way Windows operating systems work and provide trusted software that requires higher privileges those privileges. It may not be patch-able without re-engineering this aspect of the operating system, which would break a HUGE amount of software.

It will be interesting to see how they approach this. Microsoft certainly has at least tried to be more focused on security in later years, but this is a tough one.
 
Whitepaper much?

"DoubleAgent can exploit:
Every Windows version (Windows XP to Windows 10)
Every Windows architecture (x86 and x64)
Every Windows user (SYSTEM/Adminetc.)Every target process, including privileged processes (OS/Antivirus/etc.)

DoubleAgent exploits a 15 years old undocumented legitimate feature of Windows and therefore cannot be patched."

I've been doing this cyber security thing for a long time. Wouldn't lead you astray with nonsense. Not on purpose anyway.

It can exploit every user. Not the same as can be exploited *BY* any user. Still have to have admin rights to load the debug tools they used.

Granted its a nasty way to trojan-ize an AV process which would make subsequent detection difficult but once admin is lost its all down hill regardless.
 
Tell that to the makers of my POS software. One of the requirements to run it is to TURN OFF UAC. Program won't properly update every couple weeks with UAC on.
I'd set it up to run the s/w as admin
1. right lick on programs shortcut
2. click on properties
3. Click on the shortcut tab
4. Click on Advanced...
5. check "run as Administrator"
6. Click OK
7. Click OK (or apply).

Can't guarantee that will work for you, but I believe it will.
 
It seems you never worked in an IT dept that support 6000 Windows based computers which your tasked to deploy software and maintain. Yes, I have worked around UAC. Thankfully, a program called elevate.exe for batch files and scripts has helped. Combined with the use of an appliance called KACE to deploy said software ends up making my life a bit easier.

UAC is designed to prevent Administrators from automatically having admin privileges all the time. Since most home users are local ADMINS they see these popups and tend to override by clicking yes or OK. I think MS should of focused UAC to domain admins so they/we can run in standard mode and elevate when needed. Create something different for home users.*Most* home users do not care or have an understanding of UAC and will google how to shut it off or blindly just click ok at each prompt.

Calling people who turn off UAC "are too stupid and should have their computers confiscated" is rather short sighted. Not every environment is a home-consumer one. UAC has its place and it should be viewed as a tool not a computer condom.
My mom runs as an Admin. My dad does not. Why? Because dad clicks on crap and installs malware. He can still do it, but he's going to have to type the admin password when prompted.

IMNSHO, that's how it should be for all but those who mostly know what htey're doing (which doesn't mean you're a System Admin). If you have to type a password, you're going to think about it.
That is exactly how *nix generally works (though normally I'm elevated for a period of time and not just for a single command).
 
Every Enterprise environment I have worked in, the IT department administers local machines through screen sharing, and providing admin credentials to UAC only when needed. It might be a pain in the butt, but I still see disabling UAC as a major security risk, and highly irresponsible.
Where I'm at, developers, admins and other technical workers generally have Administrator rights, but the vast majority of peeps don't have those rights. And to be honest, there are some devs here that shouldn't have those rights, but they're the exception among the IT groups.
 
Where I'm at, developers, admins and other technical workers generally have Administrator rights, but the vast majority of peeps don't have those rights. And to be honest, there are some devs here that shouldn't have those rights, but they're the exception among the IT groups.


Same here. In my last position I didn't have admin rights. In order for a software guy to get admin privileges they needed approvals from two levels of managers.

This wasn't always the case. As much as it inconveniences me personally, since I generally seem more informed on the subject matter than most of the lower level guys in the IT department I talk to, companies seem to have become smarter about who they give admin privileges over the last 10 years. These days I more often than not lack admin privileges. 10 years ago, that was never the case.
 
I would think this is easy to defeat since it relies on replacing an authentic piece of ms software in the windows folder with a counterfeit one. For example, on a simple windows box, you can boot a Linux flash drive, then in the system32 folder delete the osk.exe application, then rename cmd.exe as osk.exe. Then reboot and at the login screen hit the assistive devices icon in the lower left corner and then select on screen keyboard. But what pops up is a cmd terminal with super user privy. From this you own the box. However,there seems to be a way to prevent this. At the installation where we have win 7 pro boxes, when this hack is attempted, upon reboot, windows immediately goes into system repair and then reboots itself. The assistive devices have been repaired!

It seems somehow there is a boot level hash check of the windows folder and if a change is detected, the system is repaired. However, I do not know the particulars of how this is done.

Still any change to the 'runtime verification tool' code could be detected this way.
 
It seems somehow there is a boot level hash check of the windows folder and if a change is detected, the system is repaired. However, I do not know the particulars of how this is done.

Still any change to the 'runtime verification tool' code could be detected this way.

Windows 7 and later only loads signed binaries into kernel space :)

There are also application control technologies that can prevent tampering and loading of unrecognized apps. Short of a very tight implementation where the logged on user is not trusted though loss of admin is hard to defend; just have to make sure accounts can't move vertically or horizontally too far to contain the damage

Consider that once you have admin you can also uninstall or disable AV. This exploit makes it look like AV is OK for very simplistic checks and lets you run nasty stuff under innocent looking process names. But with local admin you could just as easily exploit notepad :ninja:
 
Windows 7 and later only loads signed binaries into kernel space :)

There are also application control technologies that can prevent tampering and loading of unrecognized apps. Short of a very tight implementation where the logged on user is not trusted though loss of admin is hard to defend; just have to make sure accounts can't move vertically or horizontally too far to contain the damage

Consider that once you have admin you can also uninstall or disable AV. This exploit makes it look like AV is OK for very simplistic checks and lets you run nasty stuff under innocent looking process names. But with local admin you could just as easily exploit notepad :ninja:

Very true. Calculator isn't even safe. :cry:
 
What is Psychosis?
Psychosis refers to a loss of contact with reality, in which people have trouble distinguishing between what is real and what is not. When this occurs, it is called a psychotic episode.
Instead of getting the facts to understand the situation, you jump to a conclusion and make an incorrect accusation of a psychotic episode.
Says more about you.
;)
 
Back
Top