Or Yair, a cybersecurity researcher, claims that a large number of popular anti-virus software pieces, such as those produced by Microsoft, TrendMicro, and Avast, can be used to wipe out data from a computer. Anti-virus programs such as these are widely used across the globe, making it an alarming report because they are widely used around the globe.
A cybersecurity firm SafeBreach has explained how the exploit works in a Proof-of-Concept document titled “Aikido” using what is called a “time-of-check to time-of-use” (TOCTOU) method in order to explain how it works.
Using the force and movement of your opponent to your advantage is the basic principle behind Aikido, a Japanese martial art.
In a nutshell, here’s what we do
According to the document, the vulnerability can be exploited to enable a variety of cyber-attacks often referred to as “Wipers”, which are used to attack targets in offensive war situations. An example of a wiper in cybersecurity is a type of malware that is capable of erasing the entire hard drive of a computer that it is infected with. Additionally, it is capable of deleting data as well as programs maliciously.
According to the slide deck, the exploit redirects the “superpower” available to endpoint detection programs to be able to “delete all files, regardless of their privileges”. It outlines how to create a malicious file in the folder “C:/temp/Windows/System32/drivers/ndis.sys” in order to carry out the attack.
It holds the handle and forces the “AV/EDR to postpone the deletion until after the next reboot”, making it harder to detect. As a result, the exploit is able to hold the handle for a long time.
In the next step, it deletes the “C:temp” directory and creates a junction in the “C.temp –> C :/” directory before rebooting the computer.
Software that is affected by the virus
According to Aikido, only a few of the most well-known antivirus brands have been affected as a result of this attack.
According to the researcher, some examples of vulnerable programs are Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus in the slide deck he prepared.
It is still possible to have a secure environment with some products, such as Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender.