New Trend? Antivirus Software Exploited To Launch Privilege Escalation Attack

New Trend Antivirus Software Exploited To Launch Privilege Escalation Attack

How can cybercriminals penetrate a network or computer if there are security software in place to prevent it? Some cyber criminals have the answer, attack the very software used for securing the computer/network. That is the exact scenario that happened with ZoneAlarm antivirus, becoming the victim of a very clever vulnerability attack, as reported by Illuminant, a cybersecurity consulting and pentest firm.

The exploit is triggered if Windows has a vulnerable version of .Net services, creating a loophole in the system where low privilege process gets elevated to System-level access. System-level access is much higher than the administrator user account when it comes to performing system tasks. It used to be this kind of exploit is not possible to do, but by taking advantage of ZoneAlarm antivirus installed in the system, it is used as a backdoor for privilege escalation attack using.Net services to take place.

Any typical antimalware product is designed to install itself deep into Windows, by design they need to do this in order for malware to fail in removing them from the system. However, as a side effect, this process installs the antimalware as a higher privilege program compared to other software in the computer. This is privilege escalation bug became possible, as the user privilege of the antimalware process is deliberately inherited by the exploit.

This is a stark reminder to the security software industry. Security software manufacturers need to pay extra attention to the security of their own software lest their products become the vulnerability that allows for the propagation of cyber-attacks rather than the defense against them,” explained Matija Siljak, Illumant’s co-founder.

This specialized attack is dubbed as ‘OwnDigo,” and the first kind of attack that uses the privilege of an already installed mainstream antivirus product to create an unauthorized privilege escala

How can cybercriminals penetrate a network or computer if there are security software in place to prevent it? Some cybercriminals have the answer, attack the very software used for securing the computer/network. That is the exact scenario that happened with ZoneAlarm antivirus, becoming the victim of a very clever vulnerability attack, as reported by Illumant, a cybersecurity consulting and pentest firm.

The exploit is triggered if Windows has a vulnerable version of .Net services, creating a loophole in the system where low privilege process gets elevated to System-level access. System-level access is much higher than the administrator user account when it comes to performing system tasks. It used to be this kind of exploit is not possible to do, but by taking advantage of ZoneAlarm antivirus installed in the system, it is used as a backdoor for privilege escalation attack using .Net services to take place.

Any typical antimalware product is designed to install itself deep into Windows, by design they need to do this in order for malware to fail in removing them from the system. However, as a side effect, this process installs the antimalware as a higher privilege program compared to other software in the computer. This is privilege escalation bug became possible, as the user privilege of the antimalware process is deliberately inherited by the exploit.

This is a stark reminder to the security software industry. Security software manufacturers need to pay extra attention to the security of their own software lest their products become the vulnerability that allows for the propagation of cyber-attacks rather than the defense against them,” explained Matija Siljak, Illumant’s co-founder.

This specialized attack is dubbed as ‘OwnDigo,” and the first kind of attack that uses the privilege of an already installed mainstream antivirus product to create an unauthorized privilege escalation of a process on-the-fly.

In this case, we’ve exploited services in ZoneAlarm. But the methodology is applicable to many other programs. WCF is widely used in .NET applications, and initial research indicates that many other implementations are not adequately secured. In fact, other researchers have recently published similar vulnerabilities,” added Siljak.

Checkpoint, the publisher of ZoneAlarm antivirus has been informed of the nasty OwnDigo bug and is currently checking how they can fix the problem. Illumant practiced responsible disclosure of this very important discovery, as this may only be the start of a trend where the very software expected to secure the computer is the very attack surface abused by the virus authors and cybercriminals.

Other antimalware vendors need to check their own antivirus products as well, in order to prevent the possibility of following the footsteps of ZoneAlarm Antivirus. It is counter-intuitive for the antimalware industry that their software will be the channel for cybercriminals to penetrate an otherwise secure and private network.

Related Resources:

Virus Removal App

Best Free Antivirus for Android

Julia Sowells960 Posts

Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register