Avast, AVG, and Microsoft Defender turned against Windows to erase files permanently.

Or Yair, a security researcher at SafeBreach, recently released a proof-of-concept (POC) demonstrating how anti-malware programmes may be made to mistakenly delete or wipe innocuous data from your computer. The Japanese martial technique that is used to utilise an opponent’s own actions against them served as inspiration for the POC, which goes by the name of “Aikido.” While the value and legality of martial arts are still hotly contested topics, the Aikido wiper’s effectiveness is undeniable. This is due to the fact that Microsoft has already patched the vulnerability and recognised the exploit in Defender.

Avast, AVG, and TrendMicro, three additional prominent anti-malware providers, were also discovered to be susceptible to this issue. Other well-known programmes from companies like McAfee and BitDefender, however, were unaffected. The complete list of the tested goods is shown below.

Yair demonstrates that the time-of-check to time-of-use (TOCTOU) vulnerability is the foundation of the Aikido wiper. An antivirus programme finds and identifies a file as hazardous before deleting it. After the malware has been found, Aikido with TOCTOU is used to inject a different path that would ultimately result in the destruction of a trustworthy file rather than the malicious one. This even allows for the deletion of system files.

The following is a brief description of the steps:

  • Make the malicious file at C:tempWindowsSystem32driversndis.sys a specific path.
  • Hold the handle to have the EDR or AV delay deleting the file until after the subsequent reboot.
  • Get rid of the C:temp directory.
  • Make a junction between C:temp
  • C:Reboot.

Intriguingly, Yair observed that Defender and Defender for Endpoint deleted folders rather than files in these instances. Microsoft has given this the vulnerability ID “CVE-2022-37971” and fixed the problem in the most recent version of the Microsoft Malware Protection Engine, 1.1.19700.2.

Patches for their own products have also been released by TrendMicro, Avast, and AVG.

  • Apex One hotfix 23573 and patch b11136 from Trend Micro
  • AVG Antivirus and Avast: 22.10

On the official SafeBreach website, click here, you can get additional information about Akido Wiper and the exploit. At the most recent Black Hat Europe 2022 security conference, the Akido Wiper POC was demonstrated. As a result, this page may possibly contain additional information.

Via: Dark Reading

Christopher Woodill

About ME

Enterprise technology leader for the past 15+ years…certified PMP, Six Sigma Black Belt and TOGAF Enterprise Architect. I collaborate with companies to help align their strategic objectives with concrete implementable technology strategies. I am Vice President, Enterprise Solutions for Klick Health.

Leave a Comment