Researchers Demonstrate How Antivirus Software Can Be Used for Self-Destruction
Experts from RACK911 Labs have demonstrated how, by using symbolic links (directory junctions on Windows and symlinks on macOS and Linux), almost any antivirus solution can be turned into a tool for self-destruction.
How the Attack Works
Most antivirus solutions operate in a similar way: when an unknown file is saved to a computer’s hard drive, the antivirus scans it in real time. If the file is deemed suspicious, it is either sent to quarantine—a protected area where it awaits further user action—or deleted. Because of the nature of these operations, antivirus software typically has the highest privileges on the system. According to RACK911 Labs, this “opens the door to a wide range of security vulnerabilities and race condition uncertainties.”
The researchers point out that most antivirus solutions do not account for the brief time gap between scanning a file and taking further action on it. A local attacker or malicious software can exploit this race condition using symbolic links. By taking advantage of the privileged status of antivirus actions, an attacker can disable the antivirus software or render it completely useless.
Potential Impact
The researchers were able to successfully delete important antivirus files on computers running Windows, macOS, and Linux, making the software ineffective. In some cases, they were even able to delete critical system files, causing severe damage that required a complete reinstallation of the operating system.
Attack Simplicity and Timing
According to the researchers, carrying out this attack is very simple, and an experienced hacker could do it with ease. The most challenging part is determining the exact moment to execute the directory junction or symlink. Timing is crucial in this attack, as even a one-second delay can render the exploit useless. However, with some antivirus solutions, timing was not important at all—simply looping the exploit was enough to trigger self-destruction.
Vendor Response
RACK911 Labs began notifying affected vendors in the fall of 2018, and most of them have already fixed the vulnerability, with only a few exceptions.