DoubleAgent code injection and process hijacking explained
ESET Customer Advisory 2017-0006
March 23, 2017
ESET has been informed about the findings in reports by Cybellum which describe a technique called DoubleAgent, used to inject code and maintain persistence on a machine (i.e., auto-run) by misusing Microsoft’s Application Verifier’s undocumented feature.
Most ESET processes were already immune to the vulnerability; ESET added protection for additional processes that could be used to exploit this vulnerability (the added protection is distributed automatically to all users by means of a module update). Additionally, administrator rights are necessary to administer this attack, which greatly reduces its likelihood.
According to the reports, it is possible to edit registry entries for processes using Microsoft’s Application Verifier values to load any library from the disk, thus opening the possibility of loading a malicious library that will be given the permissions of the victim process. (The scope of the processes is not limited to ESET processes, nor is it limited to AV products processes.)
However, it should be stressed that the severity of this vulnerability is considered to be very low since the attackers need to have administrator rights on the victim’s machine to edit the registry entries.
ESET gradually implements additional layers of security that prevent attacks on the operating system or on the security product itself. In all ESET products for Windows since version 4 our Self-defense feature is enabled by default, this feature prevents registry key modification for our key processes and the latest update to HIPS module version 1273, released on March 23, 2017, added the same level of protection for additional ESET processes which could be misused to load malicious libraries. The update to the module is distributed to all users automatically, thus there is no need to download or install anything.
Note: A computer restart is required upon first installation of your Windows ESET product in order for the Self-defense protection to integrate fully.
Additionally, the main ESET process ekrn.exe makes use of so-called Protected Service in the latest version 10 of ESET consumer products on Windows 8.1 and higher and therefore it is not possible to exploit it this way on the mentioned versions of Windows. The same level of protection is coming to the Endpoint line of our products in the upcoming version.
Feedback & Support
Version 1.0 (March 23, 2017): Initial version of this document