A cybersecurity researcher named Two Seven One Three has just announced a new technique that allows bad guys to inject malware directly into a virus-killing software process, turning the same protected processes into backdoors.

1760342365758.png

Anti-virus (AV) software is designed to be “uninvulnerable” as it runs with system permissions (SYSTEM) and has a self – protection mechanism. Attackers now seek to exploit this same property to attack the system. If the code is inserted into the AV process, the malicious code is highly privileged, difficult to detect and can manipulate the system. The new technique just described has shown that it is completely feasible and worrying.

The problem is not that the AV software is “weak” in terms of malicious code detection, but that AV prioritizes operational reliability. Many AV backend components (interfaces, VPNs, firewall) are still allowed to write to the installation folder and run as root. The attacker takes advantage of these “sub-components” by:

  • Service cloning: export/import registry key to create AV service clones. After rebooting, this copy is loaded into Services.exe and becomes protected progress.
  • Encryption provider capture: the Registry key of the Cryptography Provider points to a malicious DLL; when the service boots up, it loads the DLF as a valid provider.
  • Digital signature frogs: Using tools such as CertClone to copy certificates, signing malicious DLLs in order to circumvent signature checks.

Combining the above steps, the attacker can write the file into the AV installation folder, execute the command with high power, and avoid detection by the AR protection mechanism.

The bad guy creates an identical “fake” service, replaces the encrypted provider in Windows to point to the malicious DLL that has been signed “fakes”, launches the service, that DLU is loaded into the protected AV process, the DLF executes the action (e.g., writes file, opens port, launches shell). Once successful, the attacker can restore the registry to reduce detection.

If successful, the bad guy will have a high priority on the victim’s computer, and turning off or skipping the defense will make the backdoor difficult to spot. The scope is broad because the method takes advantage of standard operating system features (services, registries, providers), without the need to exploit a particular kernel – level or zero – day vulnerability. Any system running AV that allows easy registry or import certificate editing is at risk.

An important point here is the abuse technique, i.e. the administrative tool and how the operating system allows trusted modules/driver to create the attack surface. In addition, open source testing (IAmAntimalware) helps the community understand risk, but can also be abused, so publication should include clear recommendations.

Experts recommend:

  • AV providers need to enhance module load control: Monitor DLL path, block loads from unknown directories and tighten signature checks.
  • The system needs to limit the possibility of arbitrary import of certificates; administrators should have strict control over registry write rights and adding providers.
  • Protect Process Light (PPL) implementation for critical processes and enable integration checks.
  • The enterprise should monitor changes in services, system certificates, and writing behavior into the AV installation directory; promptly warn if there are unusual behaviors.
  • For end users: Keep your system and AV software up to date, and be careful when administering unfamiliar software.

The technique of injecting code into the AV process reveals a paradox: the stronger the protection, the more room for abuse if the “trust” mechanism is not tight enough. The security industry needs to strike a balance between stability and security and quickly update protection mechanisms, review certificate and registry administration to prevent the scenario where the bad guy uses a “shield” as a weakness.

WhiteHat