The Terminator Antivirus Killer is a recently discovered cyber threat that disguises itself as a legitimate Windows driver. Its primary function is to disable various antivirus, Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solutions on compromised systems, thereby making them susceptible to further attacks.
This tool is marketed by a cyber threat actor known as Spyboy on a Russian-speaking hacking forum. It is purportedly capable of bypassing 24 different security solutions, including Windows Defender, on devices running Windows 7 and later. The software can be purchased for anywhere from $300 for a single bypass to $3,000 for an all-in-one bypass. However, it’s worth noting that the Terminator isn’t a hacking tool in the traditional sense but instead operates as a “Bring Your Own Vulnerable Driver” (BYOVD) attack tool.
In a BYOVD attack, legitimate drivers that are signed with valid certificates and can operate with kernel privileges are used. These drivers are dropped onto the victims’ devices to disable security solutions and gain control over the system. This tactic has been adopted by various threat groups, from ransomware gangs motivated by financial gain to state-sponsored hacking entities.
The Terminator works by depositing a legitimate, signed Zemana anti-malware kernel driver into the C:\Windows\System32\ folder with a random name. This malicious driver uses its kernel-level privileges to terminate the processes of AV and EDR software running on the device. However, the tool requires the attackers to have administrative privileges on the targeted Windows system and to trick the user into accepting a User Account Controls (UAC) pop-up when running the tool.
Despite its alarming capabilities, the Terminator is not completely undetectable. The driver is currently being detected by a single anti-malware scanning engine as a vulnerable driver. Researchers have shared rules that can help defenders detect the vulnerable driver used by the Terminator tool.
The advent of tools like the Terminator has led to discussions about the sale of similar tools on the dark web. Other cyber threat actors are also selling antivirus and EDR “killers” that can assist in the propagation of malware while avoiding detection. These tools have been tested against many major security solutions and are capable of operating on various Windows versions from Windows 7 to Windows 11, and Windows Server 2008 to Windows Server 2022.
However, as menacing as the Terminator and similar tools may seem, they are not invincible. Their operation often requires administrator-level access, which is not readily available to all users. This highlights the importance of sound security practices, such as not granting administrator privileges unless absolutely necessary, and ensuring that all users are educated about potential security threats and how to respond.
To lessen the chance of becoming a victim of such attacks, several measures can be implemented:
- Regularly update your software and hardware as vendors often release updates that patch known security vulnerabilities.
- Use antivirus software, firewalls, and intrusion detection systems to protect your system.
- Train users to recognize and avoid threats such as phishing emails and other types of social engineering.
- Implement the principle of least privilege, providing only the necessary access for a user to perform their tasks.
- Use strong, unique passwords for each account.
- Enable multi-factor authentication to add an extra layer of security.
- Regularly back up important data to help recover in case of a ransomware attack or data loss.
- Regularly check system logs and use intrusion detection systems to help identify a security incident quickly.
The rise of threats like the Terminator Antivirus Killer underscores the importance of maintaining strong cybersecurity practices. It’s crucial to stay informed about the latest threats and take proactive steps to protect your systems and data.