Hackers are using open source software that’s popular with video game cheaters to allow their Windows-based malware to bypass restrictions Microsoft put in place to prevent such infections from occurring.

The software comes in the form of two software tools that are available on GitHub. Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.

Researchers from Cisco’s Talos security team said Tuesday that multiple Chinese-speaking threat groups have repurposed the tools—one called HookSignTool and the other FuckCertVerifyTimeValidity. Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have.

A new way to bypass Windows driver restrictions

“During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers,” the researchers wrote. “While they have gained popularity within the game cheat development community, we have observed the use of these tools on malicious Windows drivers unrelated to game cheats.”

With the debut of Windows Vista, Microsoft enacted strict new restrictions on the loading of system drivers that can run in kernel mode. The drivers are critical for devices to work with antivirus software, printers, and other kinds of software and peripherals, but they have long been a convenient inroad for hackers to run malware in kernel mode. These inroads are available to hackers post-exploit, meaning once they’ve already gained administrative privileges on a targeted machine. Advertisement

While attackers who gain such privileges can steal passwords and take other liberties, their malware typically must run in the Windows kernel to perform a large number of more advanced tasks. Under the policy put in place with Vista, all such drivers can be loaded only after they’ve been approved in advance by Microsoft and then digitally signed by a trusted certificate authority to verify they are safe.

Malware developers with admin privileges already had one well-known way to easily bypass the driver restrictions. The technique is known as “bring your own vulnerable driver.” It works by loading a publicly available third-party driver that has already been signed and later is found to contain a vulnerability allowing system takeover. The hackers install the driver post exploit and then exploit the driver vulnerability to inject their malware into the Windows kernel.

Although the technique has existed for more than a decade, Microsoft has yet to devise working defenses and has yet to provide any actionable guidance on mitigating the threat despite one of its executives publicly lauding the efficacy of Windows to defend against it.

The technique Talos has discovered represents a new way to bypass Windows driver restrictions. It exploits a loophole that has existed since the start of the policy that grandfathers in older drivers even when they haven’t been reviewed for safety by Microsoft. The exception, designed to ensure older software was still able to run on Windows systems, is triggered when a driver is signed by a Windows-trusted certificate authority prior to July 29, 2015.

“If a driver is successfully signed this way, it will not be prevented from being installed and started as a service,” Tuesday’s Talos post explained. “As a result, multiple open source tools have been developed to exploit this loophole. This is a known technique though often overlooked despite posing a serious threat to Windows systems and being relatively easy to perform due in part to the tooling being publicly available.”

  • Zeth0s@lemmy.world
    link
    fedilink
    English
    arrow-up
    78
    arrow-down
    5
    ·
    1 year ago

    The article is very badly written. The problem is windows vulnerability, it is not the open source software. The open source software is just a simple vector to exploit the vulnerability. Others could be out there

    • Molecular0079@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      1 year ago

      Is it even a Windows vulnerability though? The article heavily implies that it’s a Windows issue, but all it’s saying is that hackers with admin access are installing drivers with vulnerabilities and then taking advantage of those vulnerabilities. Why is this a big surprise? If hackers already have admin access then you’re already hosed. This “vulnerability” can happen in any OS.

      This is such a click bait article that says absolutely nothing we haven’t heard of before. It’s literally basic hacking 101.

      • LeberechtReinhold@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        1 year ago

        Yes and no. It’s an escalations issue. Even with administrator access, you are not supposed[note1] to be allowed to install drivers with invalid signature, which supposedly haven an even high chain of trust (although this really iffy unless you are using secureboot as well but that’s another discussion).

        That said, when the attacker already has admin privileges you are so far in the compromised chain that the kernel driver is an issue, but you are most likely completely fucked anyways.

        This just makes your vulnerability state to be the same as in linux, where your drivers arent required to be signed in the first place, for example.

        [note 1]: There’s a caveat, with admin acess you can disable driver signatures entirely, using bcdedit, this is called test signing and leaves a visible watermark at all times with “Test signing enabled”, therefore the user can already see that the computer is compromised. Its mostly useful for devs (or attacking people who dont give a fuck).

          • LeberechtReinhold@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            If you have root in linux you can disable that, so you are in the same state. You could also selfsign.

            This is an issue, but IMHO quite overblown.

            • Zeth0s@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              1 year ago

              If a bad actor disables it, it requires a reboot and you have a huuuge warning. You probably even need to insert some keyphrase, if I remember correctly. Anyway It doesn’t go unnoticed. That is the main issue

            • meisme@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Self signing sends you to the bios to approve the key, and requires you to enter a password that was used when creating the key. It’s all but impossible to do it accidentally, as if you have no idea what you’re doing you won’t know the password.

              • LeberechtReinhold@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Yeah, the password is much better. In Windows you also realize it because the admin screen is hard to miss, but you can just go ahead and accept it, since many users run their PC as admins.

        • Molecular0079@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yeah, Ars article gave the impression that they were simply installing vulnerable versions of legit drivers and then taking advantage of that vulnerability. That’s very different than installing drivers with an invalid signature. If this was the case then it’s a very serious vulnerability indeed.

          • LeberechtReinhold@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            With admin privileges you can do the first one though, as the whole revocation list on certs is a fucking general mess (and that applies to web in general, not just windows).

            In general if your attacker is admin or has tricked you into executing something as admin, you are pretty much fucked, regardless of drivers.

            • Riskable@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              The real problem here is that the vulnerable driver has a privilege level above admin. Once you’re exploited you can’t even figure it out because the malware will then be running as the same privilege level of a driver and as admin you won’t have the power to effectively investigate that since the malware has a higher privilege.

              You have to do everything offline if you want to detect if you’ve been compromised or not. Otherwise you’re just going to have to wait and hope Microsoft puts out a special tool to detect and remove it (which they often do).

              The entire concept of anything on the OS running at a privilege level above admin (but below kernel) is absurd to begin with. It only exist because Microsoft had this grand “Trusted Computing” plan back in the day that was supposed to install them as the sole gatekeepers of all media playing back on PCs. Hardware encryption and signed everything including the damned video cable going to your monitor.

              In order to facilitate that they invented this permissions level below kernel but above admin–because you can’t give the end users a mechanism to work around the encryption! If the drivers and that used it ran at the same level as admin someone with such rights could just run some debug tools to dump memory and other runtime stuff to grab the decryption keys and do all sorts of terrible things like… Copy the media being played! (The horror).

              So now thanks to that effort Windows has a very unique sort of malware that no other OS has to deal with. Impossible to detect while running and extremely difficult to get rid of.

              Linux doesn’t have this problem because even if a malicious kernel driver is messing with all running binaries there’s ways to build a binary that can detect when itself has been messed with and also identify the mechanism of action. See: chkrootkit

        • Molecular0079@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Gotcha…this is a lot different than what Ars was saying. Being able to sign a maliciously modified driver is very different from using a legitimately signed driver that has a security vulnerability and taking advantage of it

  • LeberechtReinhold@lemmy.world
    link
    fedilink
    English
    arrow-up
    27
    ·
    1 year ago

    The whole signing of kernel drivers and UEFI code has always felt more of a walled garden/security racket to get actual legitimate hobbyist/open source to pay a shit ton for certificates, rather than actual security. Especially with all the hoops with older version support (if you wanted to fully support win vista or early7 you needed to dual sign with sha1, and most cert companies didnt know that and you had to fight with them to provide one), and the super shitty page that was the windows development hardware center for signing.

    • Rairii@haqueers.com
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      @LeberechtReinhold I can understand why it was done in the first place, but MS just blindly signing anything they are given is stupid, they should at least disallow binaries packed by themida or vmprotect.

      vmprotect on a driver is an indicator of compromise, especially if the cert/opus info references a chinese entity.

    • LeberechtReinhold@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 year ago

      No, that exploited a legitimate driver to be a point of entry and enable other attacks, and is much more problematic.

      This enables attackers to make non legitimate drivers appear legitimate to windows, but they have to be installed anyway, requiring admin privileges.

      • techt@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Just start searching with your engine of choice. Here is an article that might get you started. I used Mint and it’s quite true to the Windows experience in my opinion. For your second question, the answer is maybe! Sometimes it works well in a windows emulator, sometimes there’s a good replacement. Diving into tech forum threads is part of the process!

    • ebits21@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Ehh, every piece of software gets vulnerabilities

      Coming from a long-term Linux user.

  • Meow.tar.gz@lemmy.goblackcat.com
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    5
    ·
    1 year ago

    IMHO, Windows itself is malware. 🤣 But seriously, generally signing services that have not been verified and vetted leads to bad things.

    • BlinkerFluid@lemmy.one
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      edit-2
      1 year ago

      Good for planning your stock buys. Heard the Activision/blizzard deal went through.

      That’s either a sinking ship or a rising submarine, but considering Microsoft’s recent track record with gaming, I’m not touching it any more than my mutual fund lightly touches it.

  • YellowtoOrange@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    16
    ·
    1 year ago

    Wonder how many windows computers aren’t updated regularly - and since the updates often fuck things up - like that big win 11 update fucking up remote desktop - no wonder we’re suspicious of them