The threat of malware is increasing and become more dangerous. Developers behind antivirus programs are in a constant chase to keep their software up to date to protect against the latest threat. It may not be common knowledge, but it is a race that is not being won by antivirus services. Companies are too often reacting instead of preventing. AVGater is an exploit that specifically targets features in AV programs and uses them against the software. Bogner found the exploit takes advantage of a specific function in AV software. It uses the gap to remove a certain quarantined item and place it in a hidden location on the host system. This allows the malware enclosed to be re-introduced.
“#AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location,” Bogner explains. “This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order.” By using AVGater, a local attacker can manipulate the scanning engine in the antivirus program. By extracting the malicious file, and abusing the NTFS directory, an attacker could move the malware. This circumnavigates the inbuilt security that prevents non-administrators from accessing system files
AVGater Limitations
It is worth noting, while this is a troubling exploit, it has one major limitation. Namely, it can only be implemented by the attacker having access to the machine they wish to infect. This means it won’t spread through a network (unless there is access to a PC) or online. Because of this, in today’s malware environment, AVGater is relatively tame and is unlikely to become a popular tool for hackers. Still running the race, many leading AV providers have caught up to AVGator. Kaspersky, Malwarebytes, ZoneAlarm, Trend Micro, Emsisoft, and Ikarus have all issued patches to shore up their services against this problem.