Q
Problem solve Get help with specific problems with your technologies, process and projects.

How do attackers use Microsoft Application Verifier for hijacking?

Attackers found a way to use Microsoft Application Verifier to hijack security products, like antivirus tools. Expert Judith Myerson explains how it's done and what to do to stop it.

Attackers can reportedly hijack security products via Microsoft Application Verifier. What does this tool do? How...

can we stop malicious use of this tool?

Legitimate developers use Microsoft Application Verifier to find programming errors in their applications. The tool has been available since the days of Windows XP.

Flaws in the Microsoft Application Verifier enable hackers to launch DoubleAgent attacks against antivirus products. They can take full control of Norton AntiVirus, for example, and use it as ransomware to encrypt or delete user files on a desktop.

The attack begins with the tool loading a so-called verifier provider dynamic link library (DLL) into the targeted application's process for runtime testing. After creating the verifier tool, the DLL is added to the Windows Registry as a provider DLL for a specified process. Windows then automatically injects the DLL into all the processes with the product's registered name.

Some antivirus vendors try to protect their products with the registry keys associated with their processes. The researchers at Cybellum, an Israeli company that specializes in zero-day prevention, easily bypassed a product's self-protection mechanism (the technique worked on all major antivirus products, according to the company). The researchers injected arbitrary code and registered a malicious DLL for a process associated with a product.

Not all impacted antivirus vendors have released patches for the Microsoft Application Verifier vulnerability. Those vendors that have released patches include Malwarebytes, AVG and Kaspersky Lab. Although the Comodo antivirus product was slightly more difficult to defeat, a different unreleased proof of concept has been used for the DoubleAgent attack.

Microsoft takes a different approach to protecting antimalware services. It adds another layer of defense by implementing Windows Defender Security Center in Windows 8.1 and beyond. You can view the status of antivirus products, firewall and network protection, app and browser controls, and device performance and health.

Before you update your favorite antivirus product, visit the vendor's website and the Common Vulnerabilities and Exposures website for the latest reports on the product's vulnerabilities and patches.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about the effects vulnerabilities in antivirus products have on the industry

Find out what enterprises can do about antivirus vulnerabilities

Get a better understanding of the behavioral detection of antivirus

This was last published in June 2017

Dig Deeper on Hacker tools and techniques: Underground hacking sites

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Are you worried about antivirus products being susceptible to this vulnerability? Why or why not?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close