The Hacker News: “Malware Can Use This Trick to Bypass Ransomware Defense in Antivirus Solutions” - By Ravie Lakshmanan - June 01, 2021
Researchers have disclosed significant security weaknesses in popular software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses.
The twin attacks, detailed by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka "Cut-and-Mouse") and disabling their real-time protection by simulating mouse "click" events (aka "Ghost Control").
"Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals," said Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. "But they are competing with criminals which now have more and more resources, power, and dedication."
Put differently, shortcomings in malware mitigation software could not just permit unauthorized code to turn off their protection features, design flaws in Protected Folders solution provided by antivirus vendors could be abused by, say, ransomware to change the contents of files using an app that's provisioned write access to the folder and encrypt user data, or a wipeware to irrevocably destroy personal files of victims.
Protected Folders allow users to specify folders that require an additional layer of protection against destructive software, thereby potentially blocking any unsafe access to the protected folders.
"A small set of whitelisted applications is granted privileges to write to protected folders," the researchers said. "However, whitelisted applications themselves are not protected from being misused by other applications. This trust is therefore unjustified, since a malware can perform operations on protected folders by using whitelisted applications as intermediaries."
Source: The Hacker News
Read More:
Researchers have disclosed significant security weaknesses in popular software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses.
The twin attacks, detailed by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka "Cut-and-Mouse") and disabling their real-time protection by simulating mouse "click" events (aka "Ghost Control").
"Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals," said Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. "But they are competing with criminals which now have more and more resources, power, and dedication."
Put differently, shortcomings in malware mitigation software could not just permit unauthorized code to turn off their protection features, design flaws in Protected Folders solution provided by antivirus vendors could be abused by, say, ransomware to change the contents of files using an app that's provisioned write access to the folder and encrypt user data, or a wipeware to irrevocably destroy personal files of victims.
Protected Folders allow users to specify folders that require an additional layer of protection against destructive software, thereby potentially blocking any unsafe access to the protected folders.
"A small set of whitelisted applications is granted privileges to write to protected folders," the researchers said. "However, whitelisted applications themselves are not protected from being misused by other applications. This trust is therefore unjustified, since a malware can perform operations on protected folders by using whitelisted applications as intermediaries."
Source: The Hacker News
Read More:
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
