What just happened? Antivirus and anti-malware programs are said to be the most reliable type of software installed on a PC. Exploiting this well-known status quo, a security researcher has created a data wipe tool potentially capable of erasing all data present on a system.
Ou Yair, a security researcher at SafeBreach, discovered several zero-day vulnerabilities that could turn endpoint detection and response (EDR) and antivirus tools into “next-generation wipers,” a potential new threat affecting hundreds of millions of endpoint systems (including consumer systems). pc) all over the world.
A wiper is a type of destructive malware designed to erase or corrupt files on a compromised system, to the point of rendering any effort to recover said files useless. Wipers need full access to a file system to do their dirty deeds, the same kind of access that anti-virus and EDR programs coincidentally need to act quickly against a newly detected threat.
– archyde news –
Like Yair Explain, “there are two main events when an EDR deletes a malicious file”: first, the protection software identifies a file as malicious, then it deletes it. Yair’s goal was to try to do something between these two events, using a junction point (a type of symbolic link found in the NTFS file system) to point the EDR tool to a different path.
The researcher was looking for so-called time-to-check-to-use (TOCTOU) vulnerabilities, using a Mimikatz-hidden type program as a false imitation of the ndis.sys Windows network driver. The first attempt to redirect the original ndis.sys link (C:Windowssystem32driversndis.sys) to the fake failed because some EDR programs prevented access to the Mimikatz program after detecting it as a threat.
Yair developed his technique further, keeping the malicious file open and forcing the antivirus to ask for a restart to remove it. This was the opening the researcher was waiting for: by manipulating the Registry and restarting, the new Aikido Wiper – so named by its creator – could delete entire directories, even the root of the system disk (C:) without having to need to have administrator privileges.
Yair tested his Aikido Wiper against 11 security solutions, finding that 50% of them were vulnerable to the new technique. Vulnerable antivirus included Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus, while other solutions (Palo Alto, Cylance, CrowdStrike, McAfee, and BitDefender, among others) were not usable.
The researcher reported the flaws he found to all involved vendors over the past few months, and the companies responded by releasing patches for their vulnerable EDR solutions.