Nowadays the malware attacks are increasing rapidly, and every user, as well as companies, are trying their best to bypass such unwanted situations.
Since Antivirus softwares are the key to evade such attacks, that’s why every users and company rely upon them to keep themselves safe. Here, the AV software plays a full-time task to stop such malware attacks and keep the users and the companies secure.
But all these software do have a weakness that could be a way for the threat actors to deactivate the protection of the software.
Once the hackers deactivate all the high-security protection they can easily take all the control of the software and can perform the ill-disposed operation as per their plan.
The University of London and the University of Luxembourg have given a brief detail regarding this twin attack. They asserted that currently, they are aiming to bypass the protected folder feature that is being offered by the antivirus programs.
However, these features mainly encrypt the files that are the cut-and-mouse and disable the real-time protection just by replicating the mouse click that is the Ghost Control.
Coordinated and Responsible Disclosure
The security researchers affirmed that they are sticking to an ethical code of conduct, as they know all the possible risks that can occur due to these two attacks.
But, the experts have not yet disclosed the software that can be used to exploit the above-mentioned vulnerability.
But they claimed that they have directly conducted all the AV companies, and shared all the details regarding these attacks and all possible methods that will help them to replicate the attacks.
Existing measures provided by Windows OS
To protect the processes from unauthorized modification, the experts have mentioned the security measures that are provided by the Windows OS, and here they are:-
- Ransomware Defense in AVs
- Process Protection via Integrity Levels
This attack generally helps the hackers in allowing the ransomware to bypass the detection of anti-ransomware solutions, which are specifically based on protected folders, and later it encrypts the files of the victim.
This attack is the most critical and is not easy to bypass, but the analysts have detected two entry points for the attack, and those two entry points allow the malware to evade this defense system.
Here are the two entry points mentioned below:-
- UIPI (User Interface Privilege Isolation) is unaware of trusted apps.
- AVs Do Not Monitor Some Process Messages.
However, using this vulnerability the attackers can bypass the anti-ransomware protection via controlling a trusted application.
The experts have encountered an exceptionally yet very simple utilization of the synthesized mouse incident method, as it enables the threat actors to deactivate nearly half of the consumer AV programs.
Apart from all these things, the threat actors can disable the AV protection by simulating the legal user actions so that they can easily activate the Graphical User Interface (GUI) of the AV program.
As per the analysis report, there are two reasons why Ghost Control is capable of deactivating the shields of several AV programs, and they are:-
- AV Interface with Medium IL
- Unrestricted Access to Scan Component
Controlling Real-time Protection of AVs
In order to collect all the coordinates of the mouse that are present on the screen, the prototype generally uses the GetCursorPos() Application Programming Interface (API).
However, in each simulated mouse click, the prototype sleeps for nearly 500 ms to make sure that the next menu should be easily available for the next GUI.
In controlling the real-time protection of AVs the experts have pronounced two ways that are collecting Coordinates to Disable AV and stopping Real-time Protection.
Bypassed Auxiliary Measures
- Insecure Sandboxing Methods
- Passing Human Verification (CAPTCHA verification)
Out of 29 antivirus solutions that were being detected by the researchers, it was evaluated that 14 of them were found vulnerable to the Ghost Control attack.
While on the other hand, all 29 antivirus programs were tested, and it has been found that each antivirus has a high risk from a Cut-and-Mouse attack.
Moreover, the security analysts have concluded that the security solutions that are being provided to each vendor are to be followed subsequently. Apart from this, the AV companies are still trying their best to successfully implement all the defenses.