SoylentNews

Forgotten Motherboard Driver is Perfect For Slipping Windows Ransomware Past Antivirus Checks

posted by Fnord666 on Wednesday February 12 2020, @01:44AM   
from the digital-signing-FTF dept.

Arthur T Knackerbracket has found the following story:

A kernel-level driver for old PC motherboards has been abused by criminals to hijack Windows computers, disable antivirus, and hold files to ransom.

Sophos this month reported that an arbitrary read-write flaw in a digitally signed driver for now-deprecated Gigabyte hardware was recently used by ransomware, dubbed Robbinhood, to quietly switch off security safeguards on Windows 7, 8 and 10 machines.

The problem, said Sophos, is that while Gigabyte stopped supporting and shipping the driver a while back, the software's cryptographic signature is still valid. And so, when the ransomware infects a computer – either by some other exploit or by tricking a victim into running it – and loads the driver, the operating system and antivirus packages will allow it because the driver appears legit.

At that point, the ransomware exploits the security flaw in the Gigabyte driver to alter memory to bypass protection mechanisms and inject malicious code into kernel space, completely compromising the box and allowing the file-scrambling component to run unhindered.

Also at: threatpost.

If only they used their powers for good.

---

Original Submission

• Re:Been following this one Re:Been following this one (Score: 2) by sjames on Wednesday February 12 2020, @08:13AM (5 children)

  by sjames (2882) on Wednesday February 12 2020, @08:13AM (#957131) Journal

  I don';t think you actually have yo have the motherboard in question to be exploited.

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:Been following this one Re:Been following this one (Score: 2) by kazzie on Wednesday February 12 2020, @11:07AM (4 children)

  by kazzie (5309) on Wednesday February 12 2020, @11:07AM (#957162)

  But you would, presumably, need the drivers to be installed? And why would you install drivers for somebody else's motherboard?

  Parent

  • Re:Been following this one Re:Been following this one (Score: 1) by jurov on Wednesday February 12 2020, @12:18PM (1 child)

    by jurov (6250) on Wednesday February 12 2020, @12:18PM (#957168)

    Why would anyone install useless browser toolbars? Yet many did.

    Parent

    • Re:Been following this one (Score: 2) by kazzie on Wednesday February 12 2020, @12:29PM

      by kazzie (5309) on Wednesday February 12 2020, @12:29PM (#957169)

      Granted, but if you're dupeing people into installing a toolbar, you can get them to install anything; it doesn't have to be some unsupported driver.

      Parent

  • Re:Been following this one (Score: 3, Informative) by dwilson on Wednesday February 12 2020, @04:36PM

    by dwilson (2599) on Wednesday February 12 2020, @04:36PM (#957229) Journal

    You don't need it previously installed, and you don't need the hardware present.

    As I understood it, the flow goes something like this:

    Bad actor uses some sort of browser exploit (ideally with no privilege escalation or user input required. We see these pop up somewhat regularly, sadly) to download their NastyCode(tm) packaged in with this driver, in the background. User remains clueless.
    The download is executed on completion by the same or a separate exploit, again ideally with no privilege escalation or user input. Because the driver is 'Signed", standard safeguards don't raise any red flags and allow it run, again silently. It gains admin rights as it installs without a hiccup, which the payload then uses to do... whatever it wants.

    --
    - D

    Parent

  • Re:Been following this one (Score: 2) by sjames on Wednesday February 12 2020, @09:40PM

    by sjames (2882) on Wednesday February 12 2020, @09:40PM (#957412) Journal

    The bad guy does that. But since it's signed by all the right people it gets installed without question.

    Parent