DoubleAgent
Thu, 30 Mar 2017 10:33:51 +0200
Cute, but a 15 year old design feature is not what I would call a zero-day.
DoubleAgent: Zero-Day Code Injection and Persistence Technique
DoubleAgent: Zero-Day Code Injection and Persistence Technique
We’d like to introduce a new Zero-Day technique for injecting code and maintaining persistency on a machine (i.e. auto-run) dubbed DoubleAgent.
DoubleAgent can exploit:
Every Windows version (Windows XP to Windows 10)
Every Windows architecture (x86 and x64)
Every Windows user (SYSTEM/Admin/etc.)
Every target process, including privileged processes (OS/Antivirus/etc.)
DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched.
Mitigation
Microsoft has provided a new design concept for antivirus vendors called Protected Processes
...
Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago.
This website is tracked using the Piwik analytics tool. If you do not want that your visits are logged this way you can set a cookie to prevent Piwik from tracking further visits of the site (opt-out).