Sense of Security – Security Advisory – SOS-17-001
| Release Date. | 10-Feb-2017 |
| Last Update. | – |
| Vendor Notification Date. | 20-Jan-2017 |
| Product. | Emsisoft Anti-Malware |
| Platform. | Microsoft Windows 8/8.1/10 |
| Affected versions. | a2hooks32.dll 10.0.0.218 |
| Severity Rating. | Medium |
| Impact. | Security bypass |
| Attack Vector. | From local system |
| Solution Status. | Vendor patch |
| CVE reference. | Not yet assigned |
Details
Emsisoft Anti-Malware injects user mode hooks into each running process via a2hooks32.dll. The hooks allow Emsisoft Anti-Malware to analyse the behaviour of the process and alert the user when malware actions are suspected, such as listening on a port or interacting with other processes.
The issue exists in the dynamic library a2hooks32.dll as it can be unloaded from memory without alerting the user. A malware developer can unload the hooks to bypass the Behavior Blocker.
Please refer to the PDF version of this advisory for proof of concept code examples.
Solution
Emsisoft fixed the issue in the latest version by making the hooks DLL statically linked.
Discovered By
Ayman Sagy from Sense of Security Labs.