Press Center

Malware and antivirus software

News

ESET’s research into “Bring Your Own Vulnerable Driver” details attacks on drivers in Windows’ core

Created: 2022-01-11 09:59:04

  • The in-depth blogpost provides an in-depth look at vulnerabilities in kernel (the central component of the Windows operating system) drivers.
  • Vulnerabilities in signed drivers are mostly utilized by game cheat developers to circumvent anti-cheat mechanisms, but they have also been used by several APT groups and in commodity malware.
  • Delivering a vulnerable signed kernel driver is a popular option for attackers – this technique is called Bring Your Own Vulnerable Driver (BYOVD).
  • This technique was utilized by the Slingshot and InvisiMole APT groups, the RobbinHood ransomware family, and LoJax, the first-ever UEFI rootkit used in the wild.
  • ESET researchers have discovered vulnerabilities in three drivers.
  • The blogpost details mitigation techniques.   

BRATISLAVA, PRAGUE — January 11, 2022 — ESET Research has released an in-depth blogpost offering an in-depth look into the abuse of vulnerable kernel drivers. Vulnerabilities in signed drivers are mostly utilized by game cheat developers to circumvent anti-cheat mechanisms, but they have also been observed being used by several APT groups and in commodity malware. The blogpost discusses the types of vulnerabilities that commonly occur in kernel drivers, provides several case studies of malware utilizing such vulnerable drivers, analyzes examples of vulnerable drivers discovered during our research, and outlines effective mitigation techniques against this type of exploitation. These drivers can often become unguarded gateways to Windows’ core for malicious actors.

Among the various types of kernel (the central component of the Windows operating system) drivers are “software” drivers that provide specific, non-hardware related features like software debugging and diagnostics, system analysis, etc. These are prone to extend the attack surface significantly. Although directly loading a malicious, unsigned driver is no longer possible in the newer versions of Windows, and kernel rootkits are considered to be a thing of the past, there are still ways to load malicious code into the kernel, especially by abusing legitimate, signed drivers. Indeed, there are many drivers from various hardware and software vendors available that offer functionality to fully access the kernel with minimal effort.

The vulnerabilities most frequently observed in kernel drivers include:

  • failures to add checks that restrict read and write access to critical model-specific registers (MSRs);
  • exposing the ability to map physical memory from user mode for reading and writing; and
  • exposing the ability to access virtual kernel memory from user mode for reading and writing.

“When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so. This technique is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been observed being used in the wild by both high-profile APT actors and in commodity malware,” explains Peter Kálnai, one of the co-investigators of this research.


Examples of malicious actors using the BYOVD technique include the Slingshot APT group, which  implemented their main module, called Cahnadr, as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers. Another example is the InvisiMole APT group, which was uncovered by ESET researchers in 2018. A newer variant of the InvisiMole malware is the only case to date that ESET has observed of MSR exploitation on Windows 10 x64 systems being used in the wild by a malicious actor.

Yet another example is the RobbinHood ransomware which, as commodity malware, aims to reach as many people as possible. Thus, seeing it use a BYOVD technique is rare but powerful. This ransomware leverages a vulnerable GIGABYTE motherboard driver to disable driver signature enforcement and install its own malicious driver. Finally, LoJax, another ESET discovery in 2018 and the first-ever UEFI rootkit used in the wild, used the RWEverything driver to gain access to victims’ UEFI modules. 

ESET researchers not only catalogued existing vulnerabilities, but also looked for new ones — a full list of the discovered vulnerabilities can be found in the published in-depth blogpost. The vendors that ESET contacted were very proactive during the disclosure process and eager to fix the uncovered vulnerabilities. 

“Although there are several mechanisms employed by the CPU and/or the operating system, most of them can be bypassed with some clever techniques and are not very effective if the attacker prepares for them ahead of time,” says Kálnai.  

The blogpost offers the following useful mitigation techniques:

  • Virtualization-based security: This is a feature introduced in Windows 10 that leverages hardware virtualization to place the kernel in a sandbox thus securing the operating system with various protections.
  • Certificate revocation: On modern Windows systems, drivers need to have a valid signature based on an “acceptable” certificate. Hence, revoking the certificate of a vulnerable driver would be an easy way to “disarm” it and render it useless in most cases.
  • Driver blocklisting: This is a practice adopted by both Microsoft and various third-party security product vendors, including ESET, to detect and delete the most notorious vulnerable drivers when found on a system.

For more technical details about vulnerable signed kernel drivers, read the blogpost “Signed kernel drivers – Unguarded gateway to Windows’ core” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research. 

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.