Avast security tools hijacked in order to crack antivirus protection
Vulnerable driver can be abused to disable antivirus protection
- Researchers spot new campaign that can turn off antivirus protection
- Malware uses legitimate Avast Anti-Rootkit driver to access kernel level
- Once antivirus is deactivated, the malware can proceed without detection
Hackers are using a legitimate Avast Anti-Rootkit driver to disguise their malware, turn off antivirus protection, and infect systems, experts have warned.
The vulnerable driver has been exploited in a number of attacks since 2021, with the original vulnerabilities being present since at least 2016, research by Trellix, has claimed, noting the malware can use the vulnerable driver to end the processes of security software at the kernel level.
The malware in question belongs to the AV Killer family, with the attack using a vector known as bring-your-own-vulnerable-driver (BYOVD) to infect the system.
Virus can turn off antivirus
Trellix outlined how the malware uses a file named ‘kill-floor.exe’ to place the vulnerable driver named ‘ntfs.bin’ into the default Windows user folder, before using the Service Control executable (sc.exe) to register the driver using the ‘aswArPot.sys’ service.
Included within the malware is a hardcoded list of 142 processes used by common security products, which is used to check system process snapshots for any matches.
The malware then uses the ‘DeviceIoControl’ API to run the relevant commands to end the process, thereby preventing the antivirus from detecting the malware.
The hardcoded list includes processes belonging to a number of security products from names such as McAfee, Avast, Microsoft Defender, BlackBerry, Sophos, and many more.
As BleepingComputer points out, this isn’t the first time a BYOVD attack has exploited a vulnerable Avast driver, with the 2021 Avoslocker ransomware attacks abusing an Avast Anti-Rookit driver. Sentinel Labs also spotted and reported two high-severity flaws to Avast in the same year, which were patched shortly after.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
You might also like
- Take a look at the best Cyber Monday antivirus deals
- What CIOs can do differently to prepare their infrastructure for a service outage
- These are the best firewall options for your business right now
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.