“Bring your own vulnerable driver” attacks break Windows


Digital security is a constant cat-and-mouse game, with new vulnerabilities being discovered as quickly (if not faster) as older problems are fixed. Lately, “Bring Your Own Vulnerable Driver” attacks are becoming a complex problem for Windows PCs.

Most Windows drivers are designed to interact with specific hardware – for example, if you buy a headset from Logitech and plug it in, Windows may automatically install a driver made by Logitech. However, there are many Windows kernel-level drivers that are not intended to communicate with external devices. Some are used to debug low-level system calls, and in recent years many PC games have started installing them as anti-cheat software.

Windows does not allow unsigned kernel-mode drivers to run by default, starting with 64-bit Windows Vista, which has dramatically reduced the amount of malware that can gain access to your entire PC. This has led to the growing popularity of “Bring Your Own Vulnerable Driver” vulnerabilities, or BYOVD for short, which take advantage of existing signed drivers instead of loading new unsigned drivers.

How system calls work with drivers on Windows
How system calls work with drivers on Windows ESET

So how does it work? Well, it involves malicious programs finding a vulnerable driver that is already present on a Windows PC. The vulnerability looks for a signed driver that does not validate calls to model-specific registers (MSRs), then takes advantage of this to interact with the Windows kernel through the compromised driver (or use it to load an unsigned driver). To use a real life analogy, it’s like how a virus or parasite uses a host organism to spread, but the host in this case is another engine.

This vulnerability has already been used by malware in the wild. ESET researchers have discovered that a malicious program, dubbed “InvisiMole”, used a BYOVD vulnerability in Almico’s “SpeedFan” utility driver to load an unsigned malicious driver. Video game publisher Capcom has also released some games with an anti-cheat driver that could be easily hacked.

Microsoft’s software mitigations for the infamous 2018 Meltdown and Specter security flaws also prevent some BYOVD attacks, and other recent x86 processor improvements from Intel and AMD close some gaps. However, not everyone has the newest computers or the latest fully patched versions of Windows, so malware that uses BYOVD is always an ongoing problem. The attacks are also incredibly complicated, so it’s hard to fully mitigate them with Windows’ current driver model.

The best way to protect yourself against any malware, including BYOVD vulnerabilities discovered in the future, is to keep Windows Defender enabled on your PC and allow Windows to install security updates whenever they are released. are published. Third-party antivirus software can also provide additional protection, but the built-in Defender is usually sufficient.

Source: ESET


Comments are closed.