Or Yair, a security researcher at SafeBreach, discovered multiple zero-day vulnerabilities that could turn endpoint detection and response (EDR) and antivirus tools into “next-generation wipers,” a potential new threat impacting hundreds of millions of endpoint systems (including consumer PCs) all around the world. A wiper is a destructive type of malware designed to erase or corrupt files on a compromised system, to the point of making any effort to recover said files pointless. Wipers need to have complete access to a file system to do their dirty deeds, the same kind of access that is coincidentally needed by antivirus and EDR programs to act against a newly detected threat promptly. As Yair explained, “there are two main events when an EDR deletes a malicious file”: first, the protection software identifies a file as malicious, and then it deletes the file. Yair’s target was to try and do something between these two events, using a junction point (a type of symbolic link featured in the NTFS file system) to point the EDR tool towards a different path.
The researcher was after so-called time-of-check to time-of-use (TOCTOU) vulnerabilities, using a Mimikatz-type program hidden as a fake imitation of the ndis.sys Windows network driver. The first attempt to redirect the original ndis.sys link (C:\Windows\system32\drivers\ndis.sys) to the fake one was unsuccessful, as some EDR programs prevented further access to the Mimikatz program after detecting it as a threat. Yair further developed his technique, keeping the malicious file open and forcing the antivirus to ask for a reboot to delete it. This was the opening the researcher was waiting for: by manipulating the Registry and rebooting, the new Aikido Wiper – so named by its creator – could delete entire directories, or even the root of the system disk (C:) with no need to have admin privileges. Yair tested his Aikido Wiper against 11 security solutions, discovering that 50% of them were vulnerable to the new technique. The vulnerable antivirus included Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus, while other solutions (Palo Alto, Cylance, CrowdStrike, McAfee, and BitDefender, among others) were not exploitable. The researcher reported the flaws he discovered to all vendors involved in the past months, and the companies answered by releasing fixes for their vulnerable EDR solutions.