cybersecurity expert Or Yair, a number of well-known anti-virus programs, including Microsoft, TrendMicro, and Avast, can be used to wipe data from your PC. This finding is concerning because many people use anti-virus software worldwide. A cybersecurity company named SafeBreach describes how the exploit operates utilizing the so-called time-of-check to time-of-use (TOCTOU) approach in a Proof-of-Concept document titled “Aikido.”
The Japanese martial art of aikido enables you to use your adversary’s strength and movement against them.
What it Does
The weakness, according to the document, can be utilized for a range of “Wipers” cyberattacks, which are frequently deployed in offensive combat scenarios. In cybersecurity, malware that seeks to delete the hard drive of the computer it infects is known as a wiper. Additionally, it deletes data and programs on purpose.
The attack causes the endpoint detection program’s “superpower” to “destroy all files, regardless of their privileges,” according to the presentation deck. The entire procedure describes how to make a malicious file and place it in “C:tempWindowsSystem32driversndis.sys.”
In order to make it more difficult to detect, the exploit holds the handle and instructs the “AV/EDR to postpone the deletion until after the next reboot.”
Before restarting the computer, it deletes the “C:temp” directory and makes a junction in “C.temp -> C:”.
Antivirus Software in Question
Fortunately, according to Aikido, only a small number of the most well-known antivirus companies were impacted.
The researcher created a PowerPoint deck that included instances of the susceptible software, including Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus.
Some products are still secure, including Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender.