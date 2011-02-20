from the digital-signing-FTF dept.
A kernel-level driver for old PC motherboards has been abused by criminals to hijack Windows computers, disable antivirus, and hold files to ransom.
Sophos this month reported that an arbitrary read-write flaw in a digitally signed driver for now-deprecated Gigabyte hardware was recently used by ransomware, dubbed Robbinhood, to quietly switch off security safeguards on Windows 7, 8 and 10 machines.
The problem, said Sophos, is that while Gigabyte stopped supporting and shipping the driver a while back, the software's cryptographic signature is still valid. And so, when the ransomware infects a computer – either by some other exploit or by tricking a victim into running it – and loads the driver, the operating system and antivirus packages will allow it because the driver appears legit.
At that point, the ransomware exploits the security flaw in the Gigabyte driver to alter memory to bypass protection mechanisms and inject malicious code into kernel space, completely compromising the box and allowing the file-scrambling component to run unhindered.
Also at: threatpost.
If only they used their powers for good.
(Score: 2) by vux984 on Wednesday February 12, @01:55AM (1 child)
It's neat on a technical level, but unless I've missed something its really not a particularly big threat.
Sure the driver is signed, and sure it has an exploit. But if installing it comes down to:
"either by some other exploit or by tricking a victim into running it"
Then its no different than any other threat. Once you've tricked your victim into running it as administrator, then the whole signed driver thing is kind of moot. I mean, if the attackers need admin rights to install it, then it doesn't do them a lot of good. And if they have admin rights, then really this is just the cherry on top, they're ALREADY in with admin rights -- they can do plenty of damage without installing an exploitable kernel driver.
Again: "unless I've missed something"?
(Score: 0) by Anonymous Coward on Wednesday February 12, @02:04AM
Yeah, You missed the bigger picture... "Windows".