DoubleAgent: Unpatchable Windows Vulnerability Discovered
Researchers at Cybellum, an Israeli zero-day prevention firm, have discovered a vulnerability in Windows that allows attackers to take complete control of the system. Named DoubleAgent, the vulnerability affects all versions of Windows between Windows 10 and Windows XP.
According to Cybellum, “DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself. The code injection technique is so unique that it’s not detected or blocked by any antivirus.”
Cybellum said in its report that because DoubleAgent exploits a 15-year-old legitimate feature of Windows, it cannot be patched.
What makes things worse is that DoubleAgent continues to inject code after reboots, which enables it to survive reboots, updates, reinstalls, and patches. Cybellum said that once the attacker decides to inject a dynamic-link library (DLL) into a process, they are “forcefully bounded forever. Even if the victim would completely uninstall and reinstall its program, the attacker’s DLL would still be injected every time the process executes.”
Even antivirus programs can’t prevent attacks because DoubleAgent takes complete control of any antivirus program by “injecting code into it while bypassing all of its self-protection mechanisms. The attack has been verified and works on all of the major antiviruses including but not limited to: Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Quick Heal and Trend Micro,” said Cybellum.