Ο Or Yair, ένας ερευνητής ασφάλειας στην SafeBreach, δημοσίευσε ένα proof-of-concept (POC) που δείχνει πώς μπορείτε να εξαπατήσετε antivirus για να διαγράψουν οριστικά αβλαβή αρχεία στον υπολογιστή σας.
POC is called “Aikido” and is inspired by the Japanese martial art that usesto direct the aggressive movements of the opponents against themselves.
Our PoC shows without a doubt that the Aikido wiper works. Microsoft has already identified the exploit in Defender and patched the vulnerability.
But there were other software manufacturers protectionς όπως οι Avast, avg και TrendMicro που ήταν ευάλωτοι σε αυτό το exploit. Άλλες δημοφιλείς λύσεις όπως το McAfee και το BitDefender δεν επηρεάζονται.
Here is the full list of tested products.
Yair mentions that Aikido wiper uses a vulnerability called time-of-check to time-of-use (TOCTOU).
It is an anti-virus solution that first detects and identifies a file as malicious and then deletes it.
Aikido using TOCTOU is used to insert an alternate path after malware detection that leads to deletion of normal files instead of malicious ones. Even system files could be permanently deleted.
In the case of Defender and Defender for Endpoint, Yair noticed that Defender didn't delete files, but folders. Microsoft listed the vulnerability ID as “CVE-2022-37971” and patched the vulnerability in the latest version 1.1.19700.2 of Microsoft Malware Protection Engine.
Meanwhile, TrendMicro, Avast and AVG also released updates to their products:
TrendMicro Apex One: Hotfix 23573 & Patch_b11136
Avast & AVG Antivirus: 22.10
More details about Akido Wiper and the exploit can be found on SafeBreach's official website here. The Akido Wiper POC was presented at the recent security conference Black Hat Europe 2022. So you can find more information here.