Many of the popular antivirus software such as Microsoft, SentinelOne, TrendMicro, Avast and AVG can be abused due to their data-deleting feature, claims a leading cybersecurity researcher.
In the proof of concept document (opens in new tab) Yair, who goes by the name “Aikido” or works for cybersecurity firm SafeBreach, explained how the exploit works via a vulnerability known as the Time of Check to Time of Use (TOCTOU) vulnerability.
Specifically, in martial arts, Aikido refers to a Japanese style in which the practitioner appears to use the opponent’s movements and power against themselves.
how does that work?
This vulnerability could be used to facilitate various cyberattacks known as “wipers” commonly used in aggressive war situations.
A wiper in cybersecurity is a type of malware intended to wipe the hard drive of an infected computer, maliciously deleting data and programs.
According to the slide deck, the exploit redirects the endpoint detection software’s “superpower” to “delete all files regardless of permissions.”
The full process outlined involved creating a malicious file in “C:\temp\Windows\System32\drivers\ndis.sys”.
Following this, it keeps its handle and “forces AV/EDR to defer deletion until after the next reboot”.
Then delete the “C:\temp directory” and “make a junction at C:\temp –> C:\” and reboot the machine.
Only some of the most popular antivirus brands were affected, around 50%, according to Yair.
Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus were among those affected, according to the slide deck prepared by the researchers.
Luckily, products like Palo Alto, XDR, Cylance, CrowdStrike, McAfee and BitDefender were unscathed.
- Interested in updating your cybersecurity tools? Check out our guide to the best malware removal tools