Abusing the Restore from Quarantine feature
Antivirus programs are supposed to keep us safe from all that malware floating around online, but devious hackers have been known to utilize the software for malicious purposes. The latest example of this practice involves using the “restore from quarantine” feature and has been discovered in multiple AV solutions.
Austria-based security auditor Florian Bogner discovered the vulnerability and dubbed it AVGater. It essentially works by relocating malware from an AV quarantine folder to a sensitive location on a victim’s system.
Bogner, who works for Kapsch, says he has notified the vendors of all the antivirus programs that contained the flaw. Some of the companies have released updates that address the issue, including Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and ZoneAlarm
While penetration testing, Bognor infected clients’ PCs using a traditional phishing e-mail technique. The malware would then get quarantined by the AV program, and he would exploit vulnerabilities in the software that allowed unprivileged users to restore the quarantined files. Abusing a windows feature called NTFS file junction point allowed him to relay the file to a privileged directory of his choosing, such as a folder within C:\Program Files or C:\Windows. The method also abuses the Dynamic Link Library search order feature. The malware could then run with full privileges.
The most significant limitation of AVGater is that it requires attackers to have physical access to a machine, but this could still be a big problem for shared computer environments.
Bogner says the best way to prevent being affected by AVGater is to keep your antivirus programs up to date, which is always good advice. For enterprises users, he suggests removing the ability to restore files from quarantine.
Nov 12, 2017,