Researchers have disclosed significant security weaknesses in popular software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses.
The twin attacks, detailed by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka “Cut-and-Mouse”) and disabling their real-time protection by simulating mouse “click” events (aka “Ghost Control”).
“Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals,” said Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. “But they are competing with criminals which now have more and more resources, power, and dedication.”
Put differently, shortcomings in malware mitigation software could not just permit unauthorized code to turn off their protection features, design flaws in Protected Folders solution provided by antivirus vendors could be abused by, say, ransomware to change the contents of files using an that’s provisioned write access to the folder and encrypt user data, or a wipeware to irrevocably destroy personal files of victims.
Protected Folders allow users to specify folders that require an additional layer of protection against destructive software, thereby potentially blocking any unsafe access to the protected folders.
“A small set of whitelisted applications is granted privileges to write to protected folders,” the researchers said. “However, whitelisted applications themselves are not protected from being misused by other applications. This trust is therefore unjustified, since a malware can perform operations on protected folders by using whitelisted applications as intermediaries.”
An attack scenario devised by the researchers revealed that malicious code could be used to control a trusted application like Notepad to perform write operations and encrypt the victim’s files stored in the protected folders. To this end, the ransomware reads the files in the folders, encrypts them in memory, and copies them to the system clipboard, following which the ransomware launches Notepad to overwrite the folder contents with the clipboard data.
Even worse, by leveraging Paint as a trusted application, the researchers found that the aforementioned attack sequence could be used to overwrite user’s files with a randomly generated image to destroy them permanently.
Ghost Control attack, on the other hand, could have serious consequences of its own, as turning off real-time malware protection by simulating legitimate user actions performed on the user interface of an antivirus solution could permit an adversary to drop and execute any rogue program from a remote server under their control.
Of the 29 antivirus solutions evaluated during the study, 14 of them were found vulnerable to the Ghost Control attack, while all 29 antivirus programs tested were found to be at risk from the Cut-and-Mouse attack. The researchers didn’t name the vendors who were affected.
If anything, the findings are a reminder that even security solutions that are explicitly designed to safeguard digital assets from malware attacks can suffer from weaknesses themselves, thus defeating their very purpose. Even as antivirus software providers continue to step up defenses, malware authors have sneaked past such barriers through evasion and obfuscation tactics, not to mention even bypassing their behavioral detection using adversarial inputs via poisoning attacks.
“Secure composability is a well-known problem in security engineering,” the researchers said. “Components that, when taken in isolation, offer a certain known attack surface do generate a wider surface when integrated into a system. Components interact one another and with other parts of the system create a dynamic with which an attacker can interact too and in ways that were not foreseen by the designer.”