Tuesday, November 12, 2024
HomeComputer SecurityAntivirus Softwares Bug Let Hackers Bypass AV & Deactivate Their Protections

Antivirus Softwares Bug Let Hackers Bypass AV & Deactivate Their Protections

Published on

Malware protection

Nowadays the malware attacks are increasing rapidly, and every user, as well as companies, are trying their best to bypass such unwanted situations. 

Since Antivirus softwares are the key to evade such attacks, that’s why every users and company rely upon them to keep themselves safe. Here, the AV software plays a full-time task to stop such malware attacks and keep the users and the companies secure. 

But all these software do have a weakness that could be a way for the threat actors to deactivate the protection of the software. 

- Advertisement - SIEM as a Service

Once the hackers deactivate all the high-security protection they can easily take all the control of the software and can perform the ill-disposed operation as per their plan.

The University of London and the University of Luxembourg have given a brief detail regarding this twin attack. They asserted that currently, they are aiming to bypass the protected folder feature that is being offered by the antivirus programs.

However, these features mainly encrypt the files that are the cut-and-mouse and disable the real-time protection just by replicating the mouse click that is the Ghost Control.

Coordinated and Responsible Disclosure

The security researchers affirmed that they are sticking to an ethical code of conduct, as they know all the possible risks that can occur due to these two attacks.

But, the experts have not yet disclosed the software that can be used to exploit the above-mentioned vulnerability. 

But they claimed that they have directly conducted all the AV companies, and shared all the details regarding these attacks and all possible methods that will help them to replicate the attacks.

Existing measures provided by Windows OS

To protect the processes from unauthorized modification, the experts have mentioned the security measures that are provided by the Windows OS, and here they are:-

  • Ransomware Defense in AVs
  • Process Protection via Integrity Levels

Cut-and-Mouse

This attack generally helps the hackers in allowing the ransomware to bypass the detection of anti-ransomware solutions, which are specifically based on protected folders, and later it encrypts the files of the victim.

This attack is the most critical and is not easy to bypass, but the analysts have detected two entry points for the attack, and those two entry points allow the malware to evade this defense system.

Here are the two entry points mentioned below:-

  • UIPI (User Interface Privilege Isolation) is unaware of trusted apps.
  • AVs Do Not Monitor Some Process Messages.

However, using this vulnerability the attackers can bypass the anti-ransomware protection via controlling a trusted application.

Ghost Control

The experts have encountered an exceptionally yet very simple utilization of the synthesized mouse incident method, as it enables the threat actors to deactivate nearly half of the consumer AV programs.

Apart from all these things, the threat actors can disable the AV protection by simulating the legal user actions so that they can easily activate the Graphical User Interface (GUI) of the AV program.

As per the analysis report, there are two reasons why Ghost Control is capable of deactivating the shields of several AV programs, and they are:-

  • AV Interface with Medium IL
  • Unrestricted Access to Scan Component

Controlling Real-time Protection of AVs

In order to collect all the coordinates of the mouse that are present on the screen, the prototype generally uses the GetCursorPos() Application Programming Interface (API). 

However, in each simulated mouse click, the prototype sleeps for nearly 500 ms to make sure that the next menu should be easily available for the next GUI. 

In controlling the real-time protection of AVs the experts have pronounced two ways that are collecting Coordinates to Disable AV and stopping Real-time Protection.

Bypassed Auxiliary Measures

  • Insecure Sandboxing Methods
  • Passing Human Verification (CAPTCHA verification)

Out of 29 antivirus solutions that were being detected by the researchers, it was evaluated that 14 of them were found vulnerable to the Ghost Control attack. 

While on the other hand, all 29 antivirus programs were tested, and it has been found that each antivirus has a high risk from a Cut-and-Mouse attack. 

Moreover, the security analysts have concluded that the security solutions that are being provided to each vendor are to be followed subsequently. Apart from this, the AV companies are still trying their best to successfully implement all the defenses.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Digital Wallets Bypassed To Allow Purchase With Stolen Cards

Digital wallets enable users to securely store their financial information on smart devices and...

Best SIEM Tools List For SOC Team – 2024

The Best SIEM tools for you will depend on your specific requirements, budget, and...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...