22.04.2020

Rack911: Easy to manipulate antivirus software into self-destructive tools

RACK911 Labs has come up with a unique but simple method of using directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools.

Rack911 has proven that most antivirus software fail to take into consideration the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.

The investigators have published proof of concepts for Kaspersky, McAfee and Norton and many more on their blog post