Security News > 2020 > February > Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks

Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks
2020-02-11 02:00

A kernel-level Windows driver for old PC motherboards has been abused by criminals to silently disable antivirus protections, and hold files to ransom.

When the ransomware infects a computer - either by some other exploit or by tricking a victim into running it - and loads the driver, the operating system and antivirus packages will allow it because the driver appears legit.

"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos explains.

Specifically, RobbinHood loads the Gigabyte driver, exploits the read-write hole to turn off code-signing checks, loads its own unsigned driver unobstructed, and then instructs it to kill off the processes and files of antivirus products, including their kernel drivers.

RobbinHood requires administrator access to load the vulnerable motherboard driver in the first place, so you may be thinking what's the point of all of this: if you're a miscreant with admin access, you can do anything you like.


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/11/forgotten_gigabte_driver_robbinhood/