For nearly two years, Microsoft officials failed a key Windows defense, an unexplained error that left customers exposed to a malware infection technique that has been especially effective in recent months.
Microsoft officials have strongly asserted that Windows Update will automatically add new software drivers to a block list designed to thwart a well-known trick in the malware infection manual. Known as BYOVD, short for bring your own vulnerable driver, the malware technique makes it easy for an attacker with administrative control to bypass Windows kernel protections. Instead of writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. The attacker then exploits those vulnerabilities to gain instant access to some of the most protected regions of Windows.
However, it turns out that Windows was not properly downloading and applying updates to the driver block list, leaving users vulnerable to new BYOVD attacks.
As attacks mount, Microsoft’s countermeasures languish
Drivers generally allow computers to work with printers, cameras, or other peripheral devices, or to do other things, such as provide analysis of how the computer’s hardware is working. For many drivers to work, they need a direct pipeline to the kernel, the core of an operating system where the most sensitive code resides. For this reason, Microsoft heavily hardens the kernel and requires all drivers to be digitally signed with a certificate verifying that they have been inspected and come from a trusted source.
Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel. Even after a developer patch the vulnerability, old buggy drivers are still excellent candidates for BYOVD attacks because they are already signed. By adding this type of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time.
BYOVD has been a fact of life for at least a decade. malware nicknamed “slingshot” BYOVD employed since at least 2012, and other early participants in the BYOVD scene included lojax, InvisiMoleY robin hood.
In recent years, we have seen a wave of new BYOVD attacks. One such attack late last year was carried out by the North Korean government-backed Lazarus group. It’s used a decommissioned Dell driver with a high severity vulnerability to attack an aerospace company employee in the Netherlands and a political journalist in Belgium.
In a separate BYOVD attack a few months ago, cybercriminals installed BlackByte ransomware installing and then exploiting a buggy driver for Micro-Star’s MSI AfterBurner 184.108.40.20658, a widely used graphics card overclocking utility.
July, a group of ransomware threats installed the driver mhyprot2.sys—a deprecated anti-cheat driver used by the popular game Genshin Impact—during targeted attacks that went on to blow up a code execution vulnerability in the driver to further break into Windows.
A month beforeThe criminals who spread the AvosLocker ransomware also abused the vulnerable Avast anti-rootkit driver aswarpot.sys to bypass virus scanning.
Entire blog posts have been devoted to listing the growing cases of BYOVD attacks, with this post from security firm Eclypsium Y east of ESET among the most notable.
Microsoft is well aware of the BYOVD threat and has been working on defenses to stop them, primarily by creating mechanisms to prevent Windows from loading signed but vulnerable drivers. The most common mechanism for driver lockup uses a combination of what is called memory integrity and HVCI, short for Integrity of hypervisor-protected code. A separate mechanism for preventing faulty drivers from being written to disk is known as ASR, or Attack Surface Reduction.
Unfortunately, neither approach seems to have worked as well as intended.
Leave a Comment