Many popular antivirus software such as Microsoft, SentinelOne, TrendMicro, Avast and AVG can be exploited due to their data deletion capabilities, a leading cybersecurity researcher claimed.
In a Proof of Concept document (opens in new tab) dubbed “Aikido,” Or Yair, who works for cybersecurity firm SafeBreach, explained how the exploit works through what’s known as a time-of-check to time-of-use (TOCTOU) vulnerability.
In martial arts in particular, Aikido refers to a Japanese style in which the practitioner attempts to use the opponent’s movement and strength against themselves.
How does it work?
The vulnerability can be used to enable various cyber-attacks known as “Wipers,” according to Yair, which are often used in offensive war situations.
In cybersecurity, a wiper is a class of malware aimed at wiping the hard drive of the computer it infects, maliciously deleting data and programs.
According to the slide deck, the exploit redirects the “superpower” of endpoint detection software to “delete any file, regardless of privileges.”
The entire process outlined involved creating a malicious file in “C:\temp\Windows\System32\drivers\ndis.sys”.
This is followed by holding the handle and forcing the “AV/EDR to postpone the removal until after the next reboot”.
This is followed by deleting the “C:\temp directory” and “creating a node in C:\temp –> C:\”, followed by rebooting the machine.
Only some of the most popular antivirus brands were affected, around 50% according to Yair.
According to a slideshow prepared by the researcher, Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus were some of those affected by the vulnerability.
Fortunately for some, products like Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender were unscathed.
- Interested in updating your cybersecurity tools? Check out our guide to the best malware removal tools