Detected vulnerability that uses the antivirus to spread malware

[OyaYansa]

Florian Bogner, a security researcher from Vienna (Austria), has detected a vulnerability that affects different antivirus programs that allows an attacker to take control of the computer. The security failure is called AVGater and according to Bogner's report it has already been patched by some companies, among them Trend Micro, Kaspersky, ZoneAlarm or Malwarebytes, among others.

What AVGater does is take advantage of the quarantine function of antivirus solutions to relocate the malware and gain full control of the machine. The first point of the process is that the victim receives a malicious file through a phishing email, which is detected by the antivirus and moved to the quarantine folder.

Next, the attacker has to have physical access to the computer he wants to compromise, although he does not need to have administrator permissions. Once on the computer, what the criminal does is mani[CENSORED]te the restoration process by overriding NTFS junction points, allowing you to place the file in any sensitive location you want, such as C: \ Windows or C: \ Program. As a consequence, the malicious file is loaded by another process to infect the PC with malware and grant the attacker all the permissions.

Bogner discovered this vulnerability while identifying weaknesses in the networks of its business clients. In proofs of concept, this researcher was able to get local administrator privileges using his exploit on different teams of employees with limited permissions, which gave him access to the SAM (Single Account Manager) database from which they can be created. new user and group accounts.

In addition to the companies that have already patched the security flaw, the expert has detected other antivirus these days that are vulnerable to AVGater, but is already working with them to put a solution. Bogner has not revealed which affected brands have not yet remedied the vulnerability.