Dan Goodin* says Windows’ trust in abandoned code has allowed ransomware to burrow deep into targeted machines.
Attackers behind one of the world’s more destructive pieces of ransomware have found a new way to defeat defences that might otherwise prevent the attack from encrypting data: installing a buggy driver first and then hacking it to burrow deeper into the targeted computer.
The ransomware in this case is RobbinHood, known for taking down the City of Baltimore’s networks and systems in Greenville, North Carolina.
When networks aren’t protected by robust end-point defences, RobbinHood can easily encrypt sensitive files once a vulnerability has allowed the malware to gain a toehold.
For networks that are better fortified, the ransomware has a harder time.
Now, RobbinHood has found a way to defeat those defences.
In two recent attacks, researchers from security firm Sophos said, the ransomware has used its access to a targeted machine to install a driver, from Taiwan-based motherboard manufacturer Gigabyte, that has a known vulnerability in it.
Despite the vulnerability that led to the driver being deprecated, it retains the cryptographic signature required for it to run in the highly sensitive Windows region known as the Kernel.
With the benign but buggy GDRV.SYS driver from Gigabyte installed, RobbinHood exploited the vulnerability to gain the ability to read and write to virtually any memory region the attackers chose.
The RobbinHood exploit changed a single byte to disable the Windows requirement that drivers be signed.
With that, RobbinHood installed its own unsigned driver that used its highly privileged kernel access to kill processes and files belonging to endpoint security products.
The advanced status of the driver gave it greater ability than other techniques to ensure the targeted processes are permanently stopped.
The Sophos post didn’t identify the vulnerability or vulnerabilities that RobbinHood used to gain initial access to the targeted machines.
In a message, however, Sophos researcher Mark Lohman said the initial exploit targeted an account with administrative privileges, a feat that allowed a file named STEEL.EXE to run.
However that was achieved, the ransomware then dropped a file named STEELE.EXE on to the machine and got it to run.
The vulnerability in the Gigabyte driver is tracked as CVE-2018-19320.
After initially saying the driver was unaffected by the flaw, Gigabyte officials eventually acknowledged the flaw and discontinued the use of the driver.
Despite the demise of the driver, it has remained signed and trusted by all supported versions of Windows.
Microsoft officials declined to speak on the record about their policy for revoking trust in software that’s deprecated for security reasons.
On background, an employee with Microsoft’s outside PR firm said that generally, the company has certificates revoked only when the certificate itself has been compromised, which there’s no evidence happened in this case.
Revocations can result in serious collateral damage when other, non-vulnerable software is signed using the same certificate, the employee wrote in an email.
The background statement also noted that to exploit the Gigabyte driver, an attacker would first have to compromise the targeted system.
The Sophos post said that there are other Windows-trusted drivers with known vulnerabilities that could be used the same way Gigabyte’s GDRV.SYS was used.
The list included signed drivers from VirtualBox (CVE-2008-3431), Novell (CVE-2013-3956), CPU-Z (CVE-2017-15302), and ASUS (CVE-2018-18537).
While the Gigabyte driver may be the first known instance, it very well may not be the last.
* Dan Goodin is the Security Editor at Ars Technica. He tweets at @dangoodin001.
This article first appeared at arstechnica.com.
