Cybersecurity researchers have unveiled a new code injection technique that poses a serious risk to antivirus software systems, allowing attackers to create dangerous backdoors. This method exploits antivirus processes, compromising their ability to protect against threats.
Technique and Exploitation
The method, described by cybersecurity expert Two Seven One Three, involves cloning protected services and hijacking cryptographic providers. By injecting malicious code into antivirus processes, attackers can bypass standard defenses, accessing restricted directories undetected. This malicious injection leverages stable antivirus features, such as unkillable and SYSTEM-level privileged processes, to insert harmful DLLs at startup.
- Two Seven One Three identified service cloning as a key weakness in antivirus systems.
- IAmAntimalware, an open-source tool, automates service cloning and cryptographic provider modifications.
- Successful injections have been demonstrated on Bitdefender, Trend Micro, and Avast, evading detection with signed DLLs.
Mitigation and Security Measures
To counter these vulnerabilities, experts recommend closer monitoring of module loads from suspicious paths and auditing trusted certificates and registry providers. Enforcement of Windows Protected Process Light (PPL) and the use of behavioral analytics are suggested strategies to mitigate risks.
- Security audits and anomaly detection are crucial to preventing unauthorized module loads.
- PPL enforcement can help maintain process integrity.
- Behavioral analytics can identify unusual system behavior indicative of code injection.
The discovery reveals the tension between ensuring antivirus protection and reducing attack surfaces. While antivirus features are designed to enhance security, they can be exploited for malicious ends, necessitating ongoing vigilance and adaptation by cybersecurity teams.
