Update: On 13 Nov 2017 we noted an article that looks pretty familiar. You can read the article at the following link. As such we thought we would update our article but we have one questions for the authors of this article. What about the other vectors? The zero days that cannot be patched? The DLL issue we already explained years ago but what about the operating system hooks?
As mentioned in a previous blog post we have been warning users of Antivirus products that certain functions can be used to turn these products against their users.
We have been using various exploits to show the vulnerabilities of these products during our penetration testing and exercises. Regardless of the warnings we still get responses from CEO's and security teams that Antivirus is critical to their organizations.
We completely disagree and feel as though while it stops some threats it opens a huge backdoor in that it has to run as an Administrative user on Windows platforms to be able to access and scan files on the filesystem.
Today while reviewing open source articles we read an article by Threatpost that looked very similar to our previous post about the topic. We are happy to see that others are also starting to research how Anti-Virus can be turned against users. The difference in the Threatpost article and our testing is that our methods do not require any user intervention. We have been able to successfully create administrator equivalent user accounts, delete users, read files to which we were not authorized by ACL's and many other really fun tricks.
One of the easiest vectors to attack are the automated actions of Anti-Virus. By using that to execute other code, you effectively turned a defensive product into an offensive weapon.
We don't think this is the last of this issue. It's only a matter of time until threat actors figure this out and start using it in their malware payloads more frequently.