Researchers have disclosed a new technique that allows malware to bypass the defenses of anti-virus solutions, such as anti-ransomware defenses. An attacker can do this by taking control of whitelisted applications.
The researchers from the University of Luxembourg and the University of London said that the attacks work by circumventing the protected folder feature used for encrypting malware’s files (aka “Cut-and-Mouse”). They also disable the real-time protection provided by antivirus programs by simulating mouse clicks (aka “Ghost Control”).
Antivirus software companies still offer high levels of security, but they have to fight a never-ending battle with criminals:
“Antivirus software providers always offer high levels of security,” said Prof. Gabriele Lenzini from the University of Luxembourg. “But they are competing with criminals which now have more and more resources, power, and dedication.”
Security flaws in the Protected Folders solution could allow an attacker to modify the contents of a folder using a trusted app without requiring the permission of the user. For example, attackers can use ransomware to encrypt user data or wipeware to destroy the victim’s files.
Protected Folders are designed to protect against dangerous applications. However, whitelisted applications themselves are not protected from exploitation. “This trust is therefore unjustified, since a malware can perform operations on protected folders by using whitelisted applications as intermediaries,” researchers say.
The researchers stated that an attacker could execute arbitrary code to take over a trusted application like Notepad and execute various write operations to abuse and encrypt the user’s files.
The researchers discovered that by abusing Paint, a trusted application, and generating random images the attackers could wipe the user’s images.
Ghost Control is a type of attack that turns off real-time malware protection by simulating legitimate user actions. As this allows attackers to run rogue programs from their remote server, this could have serious consequences for a victim.
The researchers also found that 14 of the 29 antivirus solutions they evaluated were vulnerable to Ghost Control, while all 29 programs were at risk from the Cut and Mouse attack.
These findings remind us that security solutions that are designed to protect digital assets from cybercrime are not bullet-proof and can slo expose themselves to attackers.
The researchers noted that components that are designed to provide a certain surface area to an attacker can generate a wider surface area when integrated into a system.
“Secure composability is a well-known problem in security engineering,” the researchers said. “Components that, when taken in isolation, offer a certain known attack surface do generate a wider surface when integrated into a system. Components interact one another and with other parts of the system create a dynamic with which an attacker can interact too and in ways that were not foreseen by the designer,” researchers concluded.