Hackers Exploit Avast Driver to Disable Security: Here’s a quick look at what to know.
Hackers have found a new way to bypass security defenses by exploiting a vulnerable Avast Anti-Rootkit driver. This malicious campaign uses a legitimate but outdated driver to disable security components and take control of the target system. The malware, known as AV Killer, drops the vulnerable driver and uses it to terminate security processes from various vendors.
How the Exploit Works
The attack begins with a piece of malware named kill-floor.exe, which drops the vulnerable driver ntfs.bin into the default Windows user folder. The malware then creates a service called aswArPot.sys and registers the driver. Using a hardcoded list of 142 security process names, the malware checks active processes on the system and terminates any matches. This allows the malware to disable security products from companies like McAfee, Symantec, Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry.
Consequences of the Attack
With the security defenses disabled, the malware can perform malicious activities without triggering alerts or getting blocked. This can lead to data theft, ransomware attacks, and other harmful actions. The attack leverages the bring-your-own-vulnerable-driver (BYOVD) approach, which has been observed in other malware campaigns.
Historical Context of Similar Incidents
This is not the first time Avast’s Anti-Rootkit driver has been exploited. In early 2022, Trend Micro researchers discovered similar procedures while investigating an AvosLocker ransomware attack. In December 2021, SentinelLabs found two high-severity flaws in the driver that could be exploited to disable security products. Avast addressed these issues with security updates.
Strategies to Protect Against Driver Exploits
To protect against attacks that rely on vulnerable drivers, organizations can use rules that identify, and block components based on their signatures or hashes. Microsoft offers solutions like the vulnerable driver blocklist policy file, which is updated with every major Windows release. Starting with Windows 11 2022, this list is active by default on all devices.
Conclusion and Takeaways
Hackers continue to find new ways to exploit vulnerabilities in legitimate software to bypass security defenses. It is crucial for organizations to stay vigilant and keep their systems updated with the latest security patches. By doing so, they can reduce the risk of falling victim to such attacks.
You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it
Share this content:
Post Comment