A leading cybersecurity researcher has claimed that several popular antivirus programs such as Microsoft, SentinelOne, TrendMicro, Avast, and AVG could be exploited for their data-deletion capabilities.
in a proof of concept document (Opens in a new tab) Au Yair, dubbed “Aikido,” who works for cybersecurity firm SafeBreach, explained how the exploit works via what’s known as a time-of-use validation (TOCTOU) vulnerability.
Notably, in martial arts, aikido refers to a Japanese style where the practitioner looks to use the opponent’s movement and strength against himself.
How it works?
The vulnerability could be used to facilitate a variety of cyberattacks known as “wipers” according to Yair, which are commonly used in offensive warfare situations.
In cybersecurity, a wiper is a class of malware that aims to erase the hard drive of the computer it infects, maliciously deleting data and programs.
According to the chipset, the exploit redirects the “superpower” of endpoint discovery software to “delete any file regardless of privileges.”
The whole process described involved creating a malicious file in “C:tempWindowsSystem32driversndis.sys”.
This is followed by pressing the handle and forcing “AV/EDR delay deletion until after next reboot”.
This is followed by deleting “C:temp directory” and “creating a junction in C:temp -> C:”, followed by a machine restart.
Only some of the most popular antivirus brands were affected, about 50% according to Yair.
According to the slideshow prepared by the researcher, Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus are some of those affected by the vulnerability.
Fortunately for some, products like Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender were unharmed.
- Are you interested in updating your cyber security tools? Check out our guide to the best malware removal tools