Multiple antivirus programs have been found to have a vulnerability that allows the “restore from quarantine” feature to be used for malicious purposes.
Dubbed AVGator, it essentially works by redirecting malware from an antivirus quarantine folder to a sensitive location on the victim’s system.
While performing a penetration test, a researcher infected computers by using a phishing e-mail scam. The malware on the email would get quarantined by the antivirus program, and he could then exploit vulnerabilities in the software that allows unprivileged users to restore the quarantined files. Next, he relayed the file to a privileged directory of his choice, such as a folder within C:\Program Files or C:\Windows, by abusing the windows feature NTFS file junction point.
The method also abused the Dynamic Link Library search-order feature. The malware then ran with full privileges.
Antivirus vendors have been notified of the vulnerability, and some of them have already released updates that address the issue, including Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and ZoneAlarm.
Fortunately, AVGator has a big limitation in that a hacker must have physical access to the machine. However, for those companies with shared-computer environments, this could still remain a major problem.
Analysts recommend keeping antivirus programs up to date, and suggest removing the ability to restore files from quarantine.