Your Antivirus is a DoubleAgent!

In the field of counterintelligence, a double agent is an agent who does the incredibly risky job of pretending to act as a spy for one country or organisation while in fact acting on behalf of an enemy.

DoubleAgent – without the space between the two words – is malware that can potentially cause a devastating attack on your company’s computers. It works by turning your antivirus (AV) software against you.

DoubleAgent
photo credit: elj0h0 / Reddit

This potential attack exploits a zero-day vulnerability found in many versions of Microsoft Windows. “Zero-day” because it is a hole in a piece of software that is unknown to the author or vendor, who then has no time – zero days – to patch it before the malware is unleashed.

It can be used to make your computer spy on you and your business, or to hold your data to ransom like the recent WannaCry malware attack. Alternatively, it could simply turn your antivirus protection off without you knowing it. Turning your computer off and on again won’t make any difference.

What does DoubleAgent actually do?

DoubleAgent uses a legitimate feature of the Microsoft Windows operating system that runs the majority of the computers on our desks. This feature is called Application Verifier. It is designed to help programmers write better software by letting them stress-test the apps they have designed.

It does this by letting them upload their own verifier software that they have written to test a specific app – and when they have done this, they then have full control of it. However, the hackers can do this only if they have the administrator’s logon details that will let them install new programs in the first place.

Rather like a human double agent, if a hacker has been able to upload his malware in this way it can then become persistent – which means that it is not going to disappear by turning the computer off and on.

Once hackers control the antivirus program they can manipulate it to execute all sorts of attacks, from passive surveillance to encrypting and ransoming data, because of the inherent trust that operating systems place in antivirus programs. Antivirus programs would be particularly appealing to a hacker because the software is able to access most parts of the system.

However, in spite of some recent and somewhat dramatic media reports, Microsoft in fact published a technical breakdown of the vulnerability in 2012. They’ve also already added new features to the latest versions of Windows operating systems that will block such an attack against important programmes like antivirus.

It still sounds bad if you have a vulnerable computer, but just how bad is it?

DoubleAgent, while not to be underestimated, is yet another demonstration of a potential attack vector (a way to break in or exploit a computer or network). However, no one really knows, other than perhaps hackers working for the intelligence services, whether anyone has ever attacked a computer in this way before. If it did occur, it could have serious consequences for the computer – as do many other types of malware – and anything stored on it.

Luckily, it is perhaps unlikely to occur because it is very time consuming for a hacker to reverse-engineer a target application so they could understand its inner workings and write malicious verifier software to control it. Combined with the need for administrator rights, this probably puts it beyond the skill and interest level of the average cybercriminal.

More to the point, if a hacker had acquired the administrator login credentials needed to execute this kind of malware, then there are plenty of easier targets for them to try and hit. They usually prefer to cause disruption and earn ill-gotten gains in much quicker ways.

IT security

The advice for small businesses and individuals

“The key piece of practical advice for businesses and individuals with respect to DoubleAgent and WannaCry, is to make sure that the latest software patches are installed and that their data is backed up regularly,” says Greg Mosher, Vice President of Product and Engineering, SMB, AVG Business by Avast. “Having an off-site copy of your data could mean the difference between being locked out of your business and not.”

“They also need to ensure their antivirus is up-to-date, in-line with official advice. There are diagnostic tools out there too which can tell you if your PC is at risk from WannaCry, and free ransomware decryptors which can help you regain access to your computer and data without paying the hackers.”

Don’t believe the hype

It can be challenging for a business, or individual for that matter, to evaluate the risk posed by DoubleAgent or ransomware like WannaCry, especially if they’re short on time and IT know-how.

No computer or software is 100% safe from hackers because, by definition, unknown weaknesses cannot be patched until they are discovered, hopefully by the good guys and not the hackers. Which is why it is critical to use up-to-date technology, systems and software.