Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

Ransomware Installs Gigabyte Driver To Kill Antivirus Products (zdnet.com) 29

A ransomware gang is installing vulnerable GIGABYTE drivers on computers it wants to infect. From a report: The purpose of these drivers is to allow the hackers to disable security products so their ransomware strain can encrypt files without being detected or stopped. This new novel technique has been spotted in two ransomware incidents so far, according to UK cybersecurity firm Sophos. In both cases, the ransomware was RobbinHood, a strain of "big-game" ransomware that's usually employed in targeted attacks against selected, high-value targets. In a report published late last night, Sophos described this new technique as follows:
1. Ransomware gang gets a foothold on a victim's network.
2. Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
3. Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
4. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
5. Hackers install a malicious kernel driver named RBNL.SYS.
6. Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
7. Hackers execute the RobbinHood ransomware and encrypt the victim's files

This discussion has been archived. No new comments can be posted.

Ransomware Installs Gigabyte Driver To Kill Antivirus Products

Comments Filter:
  • by jason777 ( 557591 ) on Friday February 07, 2020 @03:43PM (#59702642)
    You have to admit, that's pretty clever. But how do they get the on there initially?
  • Doc: "Go back to the future and destroy all Gigabyte software, Marty!"
    Marty: "OK doc I'll kill it with fire!"
  • ... Linux support for these drivers lags far behind.

  • by nuckfuts ( 690967 ) on Friday February 07, 2020 @03:48PM (#59702660)
    If they're logged in with sufficient privilege to install kernel drivers, aren't the victim's owned already?
    • A simple targeted phishing campaign will always net you someone's credentials in a large network. Since every simpering user wants administrative access so they can install either a game or crappy piece of 'essential' software that requires administrator privileges to run (many of you won't believe how many of these pieces of crap are still out there today) they only have to get lucky with one person with either a legitimate business need for admin rights or the right manager's ear to get into a network (n

    • If they're logged in with sufficient privilege to install kernel drivers, aren't the victim's owned already?

      Yes, but by doing what the summary said it makes it virtually impossible stop and remove the infection.

      • Yes, but by doing what the summary said it makes it virtually impossible stop and remove the infection.

        True, but from what I've experienced in cases of ransomware attacks, removing the infection is not the problem. It's that your files have been encrypted, often in the tens or hundreds of thousands. An infected machine can be reinstalled from scratch if necessary. Tedious and time consuming, but doable. Your data can't be conjured back from scratch, however. You either have a good backup, or you're screwed.

    • It's in the BIOS, not the kernel.
  • Linux has a major advantage. The drivers are maintained at the kernel level, in a modular way. Every driver can be fully disabled.
  • It doesn't matter now whether Gigabyte releases a patch: the ransomware could just include the broken version. The only way to fix it is for Microsoft to issue a Windows Update to blacklist that driver...including handling the fallout from breaking machines that use the driver.

    Note that most Linux systems don't have driver signing, so it's even easier on Linux.

    • by xwin ( 848234 )
      Antivirus software should just flag this driver as a virus. This way if it gets into the system antivirus software would just catch it and block it.
      • Completely impractical solution. Why, because whoever flags it (Windows or 3rd party anti-virus) suddenly get flooded with calls from customers who had the driver installed already but never updated, and suddenly the computer tells them it has a virus (or worse, the computer doesn't boot because of an "bad" driver). Simply put, Microsoft cannot blacklist software already installed on millions on computers. Antivirus software will not flag it as a virus either, to avoid similar customer backlash.

        At best, may

    • The mechanism which is supposed to be used to blacklist the driver is certificate revocation. However, the article posted by Sophos [sophos.com] also puts the blame on Verisign for not doing just that:

      Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid," Sophos researchers said, explaining why it was still possible today to load a now-deprecated and known-vulnerable driver inside Windows.

      • One solution. MS installs a few modules with invalid signatures. The AV modules check these occasionally and scream blue murder if they PASS the check. This should already be there, as well as an AV heartbeat.
    • Installing a driver manually is very unusual on Linux. Some software asking to do it would raise *all* the eyebrows.

  • ... do a global search of c:\ for rbnl.sys?

  • by hcs_$reboot ( 1536101 ) on Saturday February 08, 2020 @01:21AM (#59704222)
    At last! Someone found a way to uninstall these sti(n)cky antiviruses!

"I am, therefore I am." -- Akira

Working...