Thursday, March 28, 2024

Antivirus Softwares Bug Let Hackers Bypass AV & Deactivate Their Protections

Nowadays the malware attacks are increasing rapidly, and every user, as well as companies, are trying their best to bypass such unwanted situations. 

Since Antivirus softwares are the key to evade such attacks, that’s why every users and company rely upon them to keep themselves safe. Here, the AV software plays a full-time task to stop such malware attacks and keep the users and the companies secure. 

But all these software do have a weakness that could be a way for the threat actors to deactivate the protection of the software. 

Once the hackers deactivate all the high-security protection they can easily take all the control of the software and can perform the ill-disposed operation as per their plan.

The University of London and the University of Luxembourg have given a brief detail regarding this twin attack. They asserted that currently, they are aiming to bypass the protected folder feature that is being offered by the antivirus programs.

However, these features mainly encrypt the files that are the cut-and-mouse and disable the real-time protection just by replicating the mouse click that is the Ghost Control.

Coordinated and Responsible Disclosure

The security researchers affirmed that they are sticking to an ethical code of conduct, as they know all the possible risks that can occur due to these two attacks.

But, the experts have not yet disclosed the software that can be used to exploit the above-mentioned vulnerability. 

But they claimed that they have directly conducted all the AV companies, and shared all the details regarding these attacks and all possible methods that will help them to replicate the attacks.

Existing measures provided by Windows OS

To protect the processes from unauthorized modification, the experts have mentioned the security measures that are provided by the Windows OS, and here they are:-

  • Ransomware Defense in AVs
  • Process Protection via Integrity Levels

Cut-and-Mouse

This attack generally helps the hackers in allowing the ransomware to bypass the detection of anti-ransomware solutions, which are specifically based on protected folders, and later it encrypts the files of the victim.

This attack is the most critical and is not easy to bypass, but the analysts have detected two entry points for the attack, and those two entry points allow the malware to evade this defense system.

Here are the two entry points mentioned below:-

  • UIPI (User Interface Privilege Isolation) is unaware of trusted apps.
  • AVs Do Not Monitor Some Process Messages.

However, using this vulnerability the attackers can bypass the anti-ransomware protection via controlling a trusted application.

Ghost Control

The experts have encountered an exceptionally yet very simple utilization of the synthesized mouse incident method, as it enables the threat actors to deactivate nearly half of the consumer AV programs.

Apart from all these things, the threat actors can disable the AV protection by simulating the legal user actions so that they can easily activate the Graphical User Interface (GUI) of the AV program.

As per the analysis report, there are two reasons why Ghost Control is capable of deactivating the shields of several AV programs, and they are:-

  • AV Interface with Medium IL
  • Unrestricted Access to Scan Component

Controlling Real-time Protection of AVs

In order to collect all the coordinates of the mouse that are present on the screen, the prototype generally uses the GetCursorPos() Application Programming Interface (API). 

However, in each simulated mouse click, the prototype sleeps for nearly 500 ms to make sure that the next menu should be easily available for the next GUI. 

In controlling the real-time protection of AVs the experts have pronounced two ways that are collecting Coordinates to Disable AV and stopping Real-time Protection.

Bypassed Auxiliary Measures

  • Insecure Sandboxing Methods
  • Passing Human Verification (CAPTCHA verification)

Out of 29 antivirus solutions that were being detected by the researchers, it was evaluated that 14 of them were found vulnerable to the Ghost Control attack. 

While on the other hand, all 29 antivirus programs were tested, and it has been found that each antivirus has a high risk from a Cut-and-Mouse attack. 

Moreover, the security analysts have concluded that the security solutions that are being provided to each vendor are to be followed subsequently. Apart from this, the AV companies are still trying their best to successfully implement all the defenses.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles