From XP to 10, DoubleAgent pwns all your Windows?

The Cybellum team published a new 0-day technique for injecting code and maintaining persistency on a target computer, baptized DoubleAgent. This technique uses a feature that all Windows versions since XP provide, that allows for an Application Verifier Provider DLL to be installed for any executable. The verifier-provider DLL is just a DLL that is loaded into the process and is supposedly responsible for performing run-time verifications for the application. However, its internal behaviour can be whatever an attacker wants, since he can provide the DLL himself.

Microsoft describes it as:

Application Verifier is a runtime verification tool for unmanaged code. Application Verifier assists developers in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Using Application Verifier in Visual Studio makes it easier to create reliable applications by identifying errors caused by heap corruption, incorrect handle and critical section usage. (…)

The code injection occurs extremely early during the victim’s process initialization, giving the attacker full control over the process and no way for the process to actually detect what’s going on. Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots, updates, reinstalls, or patches.

So it’s all over for Windows right? Well… no. The thing is, to register this DLL, the registered process has to have administrator rights so it can write the proper key to the Windows Registry. Without these permissions, there is no way for this attack to work. You know, the kind of permissions that allow you to install software for all users or format your own hard-drive. So, although this technique has its merit and can present challenges to processes that absolutely must maintain their integrity (such as the Cybellum team points out in the Anti-Virus software case), some other security flaw had to occur first so you can register this sort of ‘debugging DLL’.

If you already have administrator permissions you can do pretty much what you want, including DLL injection to fool anti-virus software. (Though it might be easy just to disable or remove it.)  This new tool has the advantage of being stealthy, but is a 0-day that requires root a 0-day?

[via The Hacker News]

42 thoughts on “From XP to 10, DoubleAgent pwns all your Windows?

  1. But how many windoze systems run with the user as administrator? I know back when XP was around is was the norm, so much that many major applications had problems without it.

    1. Back in the days you had to log in as administrator at least once when plugging in a new/foreign USB drive. A dialog popped up asking you to enter credentials to “install drivers” (well, actually it installed nothing but it cached the VID/PID/serial number in the registry for quick identification and to allow non-administrators to use it).
      I think it was a “safety” feature to block users from plugging random devices into important PCs without authorization, but it ended up being useless and annoying. Safety should have been added to image decoders (do you know that WMF files support embedding hidden executable code?), Internet Explorer and that scary virus installer known as Autorun. All these flaws weren’t bugs but UX “features” that traded ease of use (as in: not having to double-click a file in a CD, which is extremely difficult, but rather having the installer pop up automagically) for security (as in: connecting the computer to the internet and immediately getting it full of viruses and assorted spyware without having to open anything).

        1. We didn’t survive. Blaster and Sasser silently infected lots of PCs connected to the internet without any user interaction, Autorun brought hidden self-installing viruses to USB drives (many viruses today still drop a hidden installer and autorun file on all drives they can find) and IE’s ActiveX, Visual Basic scripting and drive-by downloads were largely abused by websites in the 2000s.
          Only the WMF executables were discovered a lot of time later.

    2. Just pop up a dialog box that says “Right click and click Run This Program as Administrator to continue”, people will just do it. Most people just aren’t worried enough about security, and part of me thinks that might be healthier… but the bitter person inside me who gave up on computer security after realising it’s a social problem is still mad.

      1. It’s not that people are “not worried enough about security”, it is more of “people are not expected to know every little secret of complex systems deeply enough that they know what they are doing when they do it”. People are not the problem, systems are the problem. It is not people’s (user’s) fault that a random DLL hosts a virus in itself…

    3. When I last ran XP I ran as a non admin and still got 0wn3d. The big huge security hole thinly disguised as a web browser just lets anything in. The only thing XP ever did right was convince me to move to Linux.

      1. While I ran an XP desktop for a decade as admin and was infection free … having gone so far as to block Internet Exploiter from running on the system and using Mozilla/Firefox.

        1. Happened to me just before Firefox and AOL had bought and ruined netscape so there wasn’t much choice. Ran Windows 2000 since the betas were in Technet and never a problem, XP a few months and it had malware issues on top of all its other issues. People say it was better after a couple service packs but I wasn’t waiting that long, made the switch and never looked back.

  2. “So it’s all over for Windows right?” Well… yes. The masses are used to clicking in the affirmative when the warning comes up to indicate that a process wants to run as an administrator.

      1. It started because UAC was hyper-paranoid on Vista, to the point that setting the clock brought up a full-screen block/allow prompt. Combine that with an ecosystem of legacy software and you’ve got a terrible user experience. UAC’s been around for 11 years now, and the ecosystem has grown with it, so you’re mostly going to see its prompts when you install software or if something hinky is going on these days.

        The “wisdom” to completely disable UAC “because it’s annoying” has unfortunately persisted, like the “wisdom” to not wear seatbelts because it’s “safer” to be ejected from your car rather than held inside in an accident .

        1. the problem was that it went from everything is allowed to damn near every keystroke asking for permission, so most people turned it off or allowed everything without looking

          1. No, most people did no such thing. Most people just complained about it for a while, then got used to it because it’s not actually THAT intrusive.

    1. The first post-install step is to install Linux dual-booting with Windows. The second is to log into Linux and use the dd command to corrupt the Windows partition and its boot sector:
      dd if=/dev/urandom of=/dev/sdaX bs=4M
      (Replace sdaX with the Windows partition’s device.)
      The third step is to try booting Windows. The fourth is to destroy the computer with a hammer if Windows still works.

      1. Whoa there Nelly, has no one read ANYTHING regarding Vault 7? Which is OLD news comprising OLD techniques and OLD tools.
        Does no one think the NEW more advanced approach’s aren’t not only in existence but continually evolving?
        Your security belong to us…..

        https://betanews.com/2017/03/08/linux-foundation-wikileaks-vault-7-response/
        Vault 7 fallout: Linux Foundation says it’s “not surprising” Linux is targeted
        https://wikileaks.org/ciav7p1/
        “CIA malware targets Windows, OSx, Linux, routers

        The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized “zero days”, air gap jumping viruses such as “Hammer Drill” which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ( “Brutal Kangaroo”) and to keep its malware infestations going.

        Many of these infection efforts are pulled together by the CIA’s Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as “Assassin” and “Medusa”.

        Attacks against Internet infrastructure and webservers are developed by the CIA’s Network Devices Branch (NDB).

        The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB’s “HIVE” and the related “Cutthroat” and “Swindle” tools, which are described in the examples section below.”

  3. There’s a lot of ways to get administrative privileges pretty easily. Just a little bit ago I was playing around with a workstation at uni and found that all users had recursive RW perms on C:\wamp. I enumerated all of the services with a startup type set to “Automatic” and sure enough C:\wamp\bin\mysql\bin\mysqld.exe ran under a SYSTEM context. Using https://github.com/PowerShellMafia/PowerSploit/tree/dev/Privesc and Write-ServiceBinary I crafted a malicious mysqld and dropped it in the directory, and sure enough I was Admin after a quick reboot. I told campus IT about the bug but it goes to show how easy it is to pwn Windows…

    1. Dear NextGenHacker101 wannabe,

      There is no C:\Wamp folder in Windows.
      Someone at your university created the folder, installed a service in the folder and then gave everyone write permissions to it.
      It’s easy to mess up an environment when you add or modify stuff without knowing how to handle permissions.What you describe would be just as easy to do on any given platform (yes, your beloved Linux too) when permissions are handled like that.
      The only thing your exercise shows is how easy it is to “pwn” your school’s computers. Care to share with us which school that is?

    2. Thats kind of IT fault there, I work on a uni IT too, we have wamp for our students in some images, you can grant permission to start/stop a service for a normal user instead of automatic running it using system, that way not only is more secure but doesnt slow down the machine if they arent going to use it.

    1. Well… no. Once you have admin you can install persistence. Like we see now.

      This is a typical trick that NSA could use to get persistent access to a machine. No files modified so tamper detection is not triggered. That sort of stuff.

  4. Zero day really? This is a known trick I’ve known and had tucked back in my toolkit. It was shown to me. There is all kinds of DLL sideloading tricks. Also it requires admin access to… maintain admin access. Nothing new to see here.

  5. There is no exploit anywhere in this post, or anything novel. It’s like saying, “durrrr, if I have root, I can format your harddisk!”

    Also, there are a slew of ways to autorun programs on virtually every operating system. Especially if you have root. This technique has been documented (well, of course, because Microsoft actually provides documentation for it), but also something quite a few autorun check tools look for. So this is really neither 0-day, nor an exploit…

    1. Exactly. “Oh look ! A well documented way to do useful things, restricted by adequate permissions”. So what ?
      To quote Raymond Cheng : “It rather involved being on the other side of this airtight hatchway”.

  6. I am curious if this could persist in my environment in any way. When a user logs off they are given a new vm from a gold image. Not much persists that I don’t intentionally copy with tools like folder redirections, profile (user’s registry settings) etc.
    Permission issue aside.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s