AVGater abuses antivirus software for local system takeover

Security researchers described a proof of concept exploit that affects multiple antivirus products and can lead to a full system takeover.

Florian Bogner, a security researcher based in Vienna, Austria, disclosed the issue and named it AVGater because, as Bogner wrote in his blog post, “every new vulnerability needs its own name and logo.”

Bogner said AVGater works by “manipulating the restore process from the virus quarantine.”

“By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations,” Bogner wrote in his blog post. “By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions.”

According to Bogner, he disclosed the AVGater vulnerability to Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software, and all of those vendors have released patches for affected products.

Bogner did not specifically mention Symantec or McAfee in his post and neither company responded to questions at the time of this article.

Bogner suggested that keeping software up-to-date is a good way to mitigate the risk of AVGater, but also noted there are limitations to the exploit.

“As AVGator can only be exploited if the user is allowed to restore previously quarantined files, I recommend everyone within a corporate environment to block normal users from restoring identified threats,” Bogner wrote. “This is wise in any way.”

Hackers are relentless and will inevitably find clever ways to bypass perimeter security.
Satya Guptafounder and CTO at Virsec

Satya Gupta, founder and CTO at Virsec Systems, an application threat software company based in San Jose, Calif., said AVGater is yet another way an attacker could manipulate “legitimate processes to launch malicious code or scripts.”

“It’s also another nail in the coffin for conventional signature-based antivirus solutions. We’ve known for a while that fileless and memory-based exploits fly under the radar of most AV systems, but now hackers can use AV tools to essentially disable themselves,” Gupta told SearchSecurity. “Hackers are relentless and will inevitably find clever ways to bypass perimeter security. The battle has to move to protecting the integrity of applications for process and memory exploits.”