Why it matters: Antivirus and antimalware programs are usually the most trusted type of software installed on a PC. Exploiting this status that is well-known, a security specialist developed a data-wiping device potentially effective at erasing all of the data present for a system.
Or Yair, a safety specialist at SafeBreach, found several zero-day weaknesses that may turn detection that is endpoint response (EDR) and antivirus (AV) tools into “next-generation wipers,” a potential new threat impacting hundreds of millions of endpoint systems (including consumer PCs) all around the world.
A wiper is a malware that is destructive to remove or corrupt files for a compromised system, to the level of earning any work to recoup said data pointless. Wipers must have access that is complete a file system to do their dirty deeds, the same kind of access that is coincidentally needed by antivirus and EDR programs to act against a newly detected threat promptly.
As Yair explained, “there are two main events when an EDR deletes a file that is malicious: first, the defense computer software identifies a file as harmful, after which it deletes the file. Yair’s target would be to try to take action between those two activities, choosing a junction point (a kind of symbolic website link showcased into the NTFS file system) to aim the EDR device towards a path that is different
The researcher was after so-called time-of-check to time-of-use (TOCTOU) vulnerabilities, using a Mimikatz-type program hidden as a fake imitation of the ndis.sys Windows network driver. The first attempt to redirect the original ndis.sys link (C:Windowssystem32driversndis.sys) to the one that is fake unsuccessful, as some EDR programs prevented additional access towards the Mimikatz system after finding it being a threat.
Yair further created his method, maintaining the file that is malicious and forcing the antivirus to ask for a reboot to delete it. This was the opening the researcher was waiting for: by manipulating the* that is( and rebooting, this new Aikido Wiper – therefore called by its creator – could erase whole directories, as well as the source of this system disk (C:) without the need having administrator benefits.
Yair tested their Aikido Wiper against 11 safety solutions, finding that 50% of these had been at risk of the technique that is new. The vulnerable antivirus included Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus, while other solutions (Palo Alto, Cylance, CrowdStrike, McAfee, and BitDefender, among others) were not exploitable.
The researcher reported the flaws he discovered to all vendors involved in the months that are past therefore the organizations answered by releasing repairs because of their susceptible EDR solutions.