As the threat of malware grows more and more dangerous every day, antivirus programs evolve and help to keep our systems protected. However, a newly-discovered exploit takes advantage of these applications' features against themselves.
Florian Bogner, an Austrian IT security professional, dubbed the exploit as 'AVGater.' It takes advantage of the function of modern antiviruses to take out a certain entry from quarantine, and place it somewhere else on the host system to re-introduce the malware.
As explained in the video, a local attacker can manipulate the antivirus' scanning engine to bring the malicious file out. Typically, a non-administrator user would not be allowed to write a file to system folders like 'Program Files' or 'Windows', but by abusing NTFS directory junctions, access to these directories would be granted.
To be able to do all of this, however, the attacker must have access to the computer they want to infect; enterprise customers can be seen more as the ones who can be a target, as users could accidentally or even intentionally release a file from quarantine, potentially infecting others on their network.
Several unnamed products have been tested for AVGater prior to the disclosure of the exploit. Kaspersky, Malwarebytes, ZoneAlarm, Trend Micro, Emsisoft, and Ikarus have all released patches, as of publishing.
Source: Florian Bogner via Digital Trends
15 Comments - Add comment