Avast security tools hijacked to crack antivirus protection
- Researchers discover a new campaign that can disable antivirus protection
- Malware uses a legitimate Avast Anti-Rootkit driver to access the kernel level
- Once the antivirus is disabled, the malware can continue without detection
Hackers are using a legitimate Avast Anti-Rootkit driver to disguise their malware, disable antivirus protection and infect systems, experts warn.
The vulnerable driver has been exploited in a number of attacks since 2021, with the original vulnerabilities having been present since at least 2016, according to research by Trellixclaims, noting that the malware can use the vulnerable driver to terminate the processes of kernel-level security software.
The malware in question belongs to the AV Killer family, with the attack using a vector known as Bring-your-own-vulnerable-driver (BYOVD) to infect the system.
Virus can disable antivirus
Trellix outlined how the malware uses a file called ‘kill-floor.exe’ to place the vulnerable driver called ‘ntfs.bin’ in the default Windows user folder, before launching the Service Control executable (sc.exe). is used to register the driver using the ‘aswArPot.sys’ service.
Included in the malware is a hardcoded list of 142 processes used by commonly used security products, which is used to check snapshots of system processes for matches.
The malware then uses the ‘DeviceIoControl’ API to execute the relevant commands to terminate the process, preventing the antivirus from detecting the malware.
The hardcoded list includes processes belonging to a number of security products with names like McAfee, Avast, Microsoft Defender, BlackBerry, Sophos and many more.
If BleepingComputer points out that this is not the first time a BYOVD attack has exploited a vulnerable Avast driver 2021 Avoslocker ransomware attacks that exploit an Avast Anti-Rookit driver. Sentinel Labs also noted and reported two serious flaws to Avast the same year, which were patched shortly afterwards.