Microsoft Drivers Have Continuous Malicious Drivers Problem

Microsoft’s problem with malicious drivers is likely to be far greater than previously thought. In the security architecture of the Windows operating system, there are exceptions that invite attackers to inject malicious code into the systems.

Just the tip of the iceberg

That Microsoft has a driver problem became clear last week. First of all, the company ensured that hundreds of drivers were blocked, for which malicious actors had sneaked access to digital signatures by placing their malware deep in Windows installations, bypassing all protective measures. Security researchers referred.

by Cisco Taloshowever, Microsoft’s measures only solve part of the problem. Because there is another, much simpler, and more frequently used way of bringing drivers with integrated malicious code into Windows systems. Under certain conditions, the operating system does not pay that much attention to the fact that the signature is correct. The background to this is Microsoft’s ongoing efforts to be as backward compatible as possible with some ancient software.

The tools are available

Starting with Windows 10 version 1607, Microsoft requires kernel-mode drivers to be signed by its developer portal. “This process is designed to ensure that the drivers meet Microsoft’s requirements and security standards,” said Talos researcher Chris Neal. Still, there are exceptions – notably one for drivers signed with certificates that expired or were issued before July 29, 2015.

So if a recompiled driver is signed with unrevoked certificates issued before that date, it will not be blocked. Various tools are now circulating in the malware scene with which this gap in the security architecture can be exploited – the two most used are FuckCertVerifyTimeValidity and HookSignTool.

A manual workaround is important

These applications make it possible to give a driver an old signature and make it appear as if it were an old piece of software. In such a case, the Windows internal security guards no longer look so closely. According to the Talos researchers, the number of drivers signed accordingly is in the thousands and Microsoft basically has no choice but to invalidate the certificates individually if they are discovered.