In a recent development, cybersecurity researchers have identified a method that allows attackers to inject malicious code directly into antivirus processes, effectively creating a backdoor within the very software designed to protect systems. This technique, detailed by researcher Two Seven One Three on X (@TwoSevenOneT), involves cloning protected services and hijacking cryptographic providers to bypass standard defenses.
Understanding the Technique
Antivirus programs are engineered with multiple layers of protection to prevent unauthorized access and ensure continuous operation. These measures include running processes with SYSTEM-level privileges, implementing process introspection to detect anomalies, conducting code integrity checks, and utilizing Windows’ Protected Process Light (PPL) feature to isolate processes from tampering. Additionally, kernel drivers are employed to monitor and block any alterations to detection mechanisms, and self-protection routines are in place to restart compromised components or alert users to suspicious activities.
Despite these robust defenses, the newly discovered technique exploits the antivirus software’s reliance on operating system features and targets less-guarded auxiliary components. Modern antivirus suites often include additional features such as firewalls, VPNs, and user interfaces, each running protected processes with write access to the installation folder. By manually exporting and importing registry keys for an antivirus service, such as Bitdefender’s BDProtSrv, attackers can create a duplicate service with identical configurations. Upon system reboot, this cloned service is loaded into the Services.exe cache, spawning a new protected process. Injection is then achieved by hijacking the Windows Cryptography API, which antivirus processes use for encryption and signing.
Implications and Mitigation
This method underscores a significant vulnerability in how antivirus solutions prioritize their own stability. By injecting code into these unkillable processes, attackers can gain elevated privileges to perform actions such as writing files to restricted directories, all while evading detection. As antivirus programs evolve to combat sophisticated threats, such techniques highlight the delicate balance between robust security and operational reliability.
To mitigate this risk, it is crucial for antivirus vendors to enhance the security of auxiliary components and implement stricter controls over service cloning and cryptographic provider usage. Users should ensure their antivirus software is up-to-date and remain vigilant for any unusual system behavior that could indicate a compromise.
