Windows PCs Threat: Over Forty Drivers Permit Hackers Install Persistent Backdoor


Malware Drivers: You are probably screwed if you are one those who own a device or a hardware component that has been manufactured by ASUS, Toshiba, Intel, Huawei, NVIDIA or the various other vendors that have been listed later in the article.

A team of the security researchers has discovered the high-risk security vulnerabilities in more than 40 drivers from at least 20 different vendors that could permit the attackers to gain most privileged permission on the system and hide malware in a way that remains undetected over time and sometimes for years. For the sophisticated attackers, maintaining persistence after compromising a system is one of the most important tasks, and to achieve this somehow, existing hardware vulnerabilities sometimes play a very important role.

Image Source:

One such notable component is the device driver that is commonly known as a driver or hardware driver, which is a software program that controls a particular type of hardware device thus helping it to communicate with the operating system of the computer properly. Since the device drivers sit between the hardware and the operating system (OS) itself and in most cases have privileged access to the OS kernel, a security weakness or flaw in this component can lead to code execution at the kernel layer.  This privilege escalation attack can move an attacker from user mode (Ring 3) to OS kernel-mode (Ring 0), permitting them to install a persistent backdoor in the system that a user would probably never realize, however.

Having been discovered by the researchers at the firmware and hardware security firm Eclypsium, some of the new vulnerabilities could permit arbitrary read/write of kernel memory, model-specific registers (MSRs), Control Registers (CR), Debug Registers (DR), and physical memory. Since malware running in the user space can simply scan for a vulnerable driver on the victim’s machine to compromise it, the attackers do not have to install their own vulnerable driver, installing which otherwise requires system administrator privileges as the main factor. All the malicious drivers are listed below, uncovered by the researchers and as well as certified by Microsoft:

Image Source:

  • American Megatrends International (AMI)
  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba

The list is incomplete without three more hardware vendors that the researchers did not name yet as they believe they are still under embargo due to their work in highly related environments and will take longer than usual to have a fix certified and ready to deploy to customers.

Device driver flaws can be more impending than other application vulnerabilities as it permits an attacker to access to the “negative” firmware rings that lie beneath the operating system (OS) and maintain persistence on the device, even if the operating system is completely reinstalled, just like the case of the LoJax malware. Researchers have reported all of these vulnerabilities to the affected vendors, of which some, including Intel and Huawei, have already, released patch updates and had issued a security advisory. Besides this, the researchers have also promised to soon release a script on GitHub that would help the users find wormhole drivers installed on their systems, along with proof-of-concept code, video demonstrations, and links to vulnerable or the malicious drivers and tools.

Source: The Hacker News

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #deep_web_links #Tor_.onion_urls_directories #Deep_Web_Sites_Links #Dark_Web_Links_Hidden_Wiki #Dark_web_directories


Please enter your comment!
Please enter your name here