Jump to content
  • Malware found in over 100 signed Windows drivers

    alf9872000

    • 387 views
    • 3 minutes
     Share


    • 387 views
    • 3 minutes

    Yesterday's security updates for Windows and other Microsoft products came with an advisory regarding the malicious use of Microsoft signed drivers.

     

    Security researchers at Sophos, Trend Micro and Cisco informed Microsoft about malware in signed drivers in February 2023. The researchers discovered that drivers "certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity".

     

    The researchers identified 133 different drivers, the majority certified, by multiple developer accounts and reported their findings to Microsoft. Some of the signed drivers date back to April 2021 according to Sophos.

     

    Microsoft is blocking the malicious drivers and has closed the responsible developer accounts. The drivers have been put on the Windows Driver.STL revocation list; this list prevents them from being loaded on Windows devices. The revocation list ships with Windows and is updated regularly via Windows Update. Microsoft notes that the list is not part of Windows and that it can't be disabled, removed or manipulated.

     

    Windows administrators should make sure that the latest Windows updates are installed and that third-party security software is up to date as well. Administrators should run offline scans on their devices to detect malicious drivers that were installed before March 2, 2023. Sophos has published hashes of the malicious drivers on GitHub.

     

    Other Microsoft services, including Microsoft 365, Azure or Xbox are not affected by the issue according to Microsoft's advisory.

     

    Microsoft introduced a policy in Windows 10 version 1607 that required a valid digital signature for kernel drivers. Windows systems with Secure Boot enabled load only these drivers and refuse to load any drivers not digitally signed.

     

    Sophos notes that several of the digital certificates appear to have their origin in China, which it bases on the company names associated with the certificates.

     

    Sophos researchers discovered two main types of drivers. Some fell into the "Endpoint protection killer" category, which were similar to maliciously signed drivers discovered in 2022. Others had rootkit-like capabilities and were designed to run silently in the background.

     

    These drivers could only be installed by accounts with elevated rights. The rootkit drivers had network monitoring capabilities using the Windows Filtering Platform. It allowed the malicious actor to monitor incoming and outgoing Internet traffic.

     

    At least some of the rootkits belong to known Windows rootkit families according to Sophos' analysis and many included command-and-control server functionality, which gave the malicious actor even more control over infected devices.

     

    All malicious drivers that Sophos reported to Microsoft have been invalidated and revoked by Microsoft as of July 11, 2023. Microsoft Defender 1.391.3822.0 and newer versions of the built-in security tool detect the malicious drivers as well.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...