Cybersecurity researchers at Trellix have uncovered a sophisticated malware campaign that turns a trusted security tool into a weapon against computer systems. The attack leverages the Avast Anti-Rootkit driver (aswArPot.sys) to disable security applications and gain unprecedented system control systematically.
Attack Methodology
The malicious software, identified as “kill-floor.exe”, employs an interesting strategy to infiltrate and compromise computer systems:
- Drops the aswArPot.sys driver into a Windows directory, disguised as “ntfs.bin”
- Registers the driver as a service to obtain kernel-level system access
- Maintains a comprehensive blacklist of 142 targeted security applications
Technical Breakdown
The malware’s ability to continuously monitor active processes is at the core of this attack. When a security application matches its predefined list, it utilizes the Avast Anti-Rootkit driver’s “FUN_14001dc80” function to terminate the process. Using standard Windows kernel functions like KeAttachProcess and ZwTerminateProcess, the malware effectively camouflages its malicious activities as routine system operations.
Potential Impact
The vulnerability transforms a trusted security tool into a potential threat, allowing malware to:
- Disable critical security software
- Gain highest-level system privileges
- Operate undetected within infected systems
Recommended Protections
Trellix recommends implementing BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms to mitigate such risks. Key strategies include:
- Identifying and blocking vulnerable drivers using unique signatures
- Integrating expert rules into antivirus solutions
- Implementing specific protections against driver-based attacks
