Stories
Slash Boxes
Comments

SoylentNews is people

Forgotten Motherboard Driver is Perfect For Slipping Windows Ransomware Past Antivirus Checks

posted by Fnord666 on Wednesday February 12 2020, @01:44AM   Printer-friendly
from the digital-signing-FTF dept.

Arthur T Knackerbracket has found the following story:

A kernel-level driver for old PC motherboards has been abused by criminals to hijack Windows computers, disable antivirus, and hold files to ransom.

Sophos this month reported that an arbitrary read-write flaw in a digitally signed driver for now-deprecated Gigabyte hardware was recently used by ransomware, dubbed Robbinhood, to quietly switch off security safeguards on Windows 7, 8 and 10 machines.

The problem, said Sophos, is that while Gigabyte stopped supporting and shipping the driver a while back, the software's cryptographic signature is still valid. And so, when the ransomware infects a computer – either by some other exploit or by tricking a victim into running it – and loads the driver, the operating system and antivirus packages will allow it because the driver appears legit.

At that point, the ransomware exploits the security flaw in the Gigabyte driver to alter memory to bypass protection mechanisms and inject malicious code into kernel space, completely compromising the box and allowing the file-scrambling component to run unhindered.

Also at: threatpost.

If only they used their powers for good.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Forgotten Motherboard Driver is Perfect For Slipping Windows Ransomware Past Antivirus Checks | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by TheReaperD on Wednesday February 12 2020, @03:40AM (1 child)

    by TheReaperD (5556) on Wednesday February 12 2020, @03:40AM (#957080)

    The part your missing is that, while you are boned if you've already ran a virus as admin, the difference is your ability to remove it. Standard virus can be removed by an anti-virus, even if it requires a CD or USB boot. The problem here is that the driver will not show up as a virus and it will not be removed, even from an external boot and to slave boot your primary drive and manually removing the driver and replacing it with a legitimate one then modifying the Windows registry to match is way beyond and normal user and even most of tech support, leaving the only choice to wipe the drive.

    --
    Ad eundum quo nemo ante iit
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by vux984 on Wednesday February 12 2020, @05:44PM

    by vux984 (5045) on Wednesday February 12 2020, @05:44PM (#957288)

    That's an interesting point, but not necessarily true -- the driver could and should simply be flagged in the virus signature lists, and quarantined like any other simple virus. The fact that it's signed makes it particularly easy to keep track of because it can't be modified to evade the antivirus checks.