Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    Microsoft Defender, Avast, AVG turned against Windows to permanently delete files

    Karlston

    By Karlston,
    Published Date:

    • 579 views
    • 2 minutes
     Share
    • 579 views
    • 2 minutes

    Or Yair, a security researcher at SafeBreach, recently published a proof-of-concept (POC) showing how anti-malware solutions could be tricked into wiping or permanently deleting harmless files on your PC. The POC is called "Aikido" and is inspired by the Japanese martial art that is used to turn opponents' moves against themselves. And while people continue to debate the usefulness and legitimacy of martial arts, there is no doubt that the Aikido wiper works. That is because Microsoft has already acknowledged the exploit in Defender and has patched the vulnerability.

     

    Other major anti-malware vendors like Avast, AVG, and TrendMicro were also found vulnerable to this flaw. Meanwhile, other popular solutions from the likes of McAfee and BitDefender went unscathed. Here is the full list of the tested products.

     

    1670778908_aikido_wiper_vulnerable_produ

     

    Yair explains that the Aikido wiper is based on what is called the time-of-check to time-of-use (TOCTOU) vulnerability. An antivirus solution first detects and determines a file as malicious and then deletes it. Aikido using TOCTOU is used to insert an alternate path after the detection of the malware to then lead to the deletion of a legitimate file instead of that malicious one. Even system files could be deleted using this.

     

    The steps have been described in brief below:

     

    1. Create a special path with the malicious file at C:\temp\Windows\System32\drivers\ndis.sys
    2. Hold its handle and force the EDR or AV to postpone the deletion until after the next reboot
    3. Delete the C:\temp directory
    4. Create a junction C:\temp → C:\
    5. Reboot

     

    Interestingly, in the case of Defender and Defender for Endpoint, Yair noticed that Defender did not delete files, but folders instead. Microsoft has assigned the vulnerability ID "CVE-2022-37971" to this and has patched the issue in the latest Microsoft Malware Protection Engine version 1.1.19700.2.

     

    Meanwhile, TrendMicro, Avast and AVG have also released patches for their own products:

     

    • TrendMicro Apex One: Hotfix 23573 & Patch_b11136
    • Avast & AVG Antivirus: 22.10

     

    You can find more details about Akido Wiper and the exploit on SafeBreach's official website here. The Akido Wiper POC was presented at the recent Black Hat Europe 2022 security conference. Hence, you may also find more information on this page.

     

    Via: Dark Reading

     

     

    Microsoft Defender, Avast, AVG turned against Windows to permanently delete files

    • Kaos and alf9872000
    • Like 2
     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...