Researchers have disclosed major security flaws in popular software applications that could be abused to deactivate their protections and take control of apps listed, perform malicious actions in the name of malware, use this trick to bypass antivirus Ransomware Defense in Solutions.
Academics from the University of Luxembourg and the University of London detail the two attacks https://dl.acm.org/doi/10.1145/3431286, aimed at bypassing the Protected Folders feature provided by anti-virus programs to encrypt files (aka “Cut and Mouse”) and disable their real-time protection by simulating mouse “click” events (aka “ghost control”).
Professor Gabriele Lenzini, Chief Scientist at the Interdisciplinary Centre for Security, Reliability and Trust at the University of Luxembourg, said:
Antivirus software providers always provide a high level of security, and they are an important part of the daily fight against hackers. But they are now fighting against hackers with more and more resources, technology-defying capabilities.
In other words, a vulnerability in malware mitigation software would not only allow unauthorized code to turn off its protection, a design flaw in a protected folder solution provided by an antivirus vendor could be abused by ransomware to use a configured Applications that alter the contents of files, gain write access to folders and encrypt user data, or use wipe software to completely destroy a victim’s personal files.
Protected folders allow users to specify folders that require an additional layer of protection against destructive software, potentially preventing any insecure access to protected folders.
“A small number of whitelisted applications are granted the privilege to write to protected folders,” the researchers said. “However, whitelisted applications are not inherently immune to abuse by other applications. Therefore, this Trust is unreasonable because malware can perform actions on protected folders by using whitelisted applications as an intermediary.”
An attack scenario devised by the researchers shows that malicious code can be used to control a trusted application, such as Notepad, to perform write operations and encrypt victim files stored in protected folders. To do this, the ransomware reads the files in the folder, encrypts them in memory, and copies them to the system clipboard. The ransomware then launches Notepad, overwriting the folder contents with the clipboard data.
To make matters worse, by leveraging Paint as a trusted application, the researchers found that the attack sequence described above could be used to overwrite a user’s files with randomly generated images, thereby permanently corrupting them.
On the other hand, Ghost Control attacks themselves can have serious consequences, as turning off real-time malware protection by simulating legitimate user actions performed on an antivirus solution’s user interface could allow attackers to delete and execute any rogue program from their control remote server.
Of the 29 anti-virus solutions evaluated during the study, 14 were found to be vulnerable to Ghost Control attacks, while all 29 tested anti-virus programs were found to be at risk for the aforementioned “cut-and-mouse” attack. The researchers did not disclose the names of the affected vendors.
If anything, these findings remind us that security solutions explicitly designed to protect digital assets from malware may have weaknesses in themselves that defeat their purpose. Even as antivirus software providers continue to fortify their defenses, malware authors have sneaked past these barriers through evasion and obfuscation tactics, not to mention the use of adversarial inputs to bypass detection of their behavior through poisoning attacks.
“Security composability is a well-known issue in security engineering,” the researchers said. “When considered in isolation, components that provide a certain known attack surface do create a broader attack surface when integrated into a system. Interaction with other parts of the system and other parts of the system creates a dynamic that attackers can also interact with in ways that the designer could not have foreseen.”