Ransomware installs Gigabyte driver to kill antivirus products

[He Who Points And Laughs]

Original Story || Archive

Essentially, Gigabyte ignored an issue with its GDRV.SYS driver allowing hackers to exploit a vulnerability to gain kernel access. Having access they can install a dodgy kernel driver (RBNL.SYS) to then disable antivirus and other protections, then they can execute the RobbinHood ransomware to encrypt the victims files.

Verisign is also at fault as it hasn't revoked the signing certificate of the driver.

 

[MediocreMilt]

Article is woefully underinformative.

Who is this a threat to?

Everyone?
Just Windows users? EDIT: re-read, Windows 7,8,10 explicitly named. But does that exclude other OS from vulnerability?
Do you have to have Gigabyte-make components? Is it all components? Just MOBO?

 

[He Who Points And Laughs]

Article is woefully underinformative.

Who is this a threat to?

Everyone?
Just Windows users? EDIT: re-read, Windows 7,8,10 explicitly named. But does that exclude other OS from vulnerability?
Do you have to have Gigabyte-make components? Is it all components? Just MOBO?

It's a windows driver. Your Plan9 laptop is fine.

 

[byuu]

I'm surprised that doesn't happen more often.
Drivers are notoriously badly programmed without any regard to security and usually run in Ring 0.

 

[He Who Points And Laughs]

I'm surprised that doesn't happen more often.
Drivers are notoriously badly programmed without any regard to security and usually run in Ring 0.

It's a difficult attack vector, especially for skids.

 

[byuu]

It's a difficult attack vector, especially for skids.

With all those stupid systray apps talking to the driver that let you control your RGB lights or whatever and send out all your information to the internet, it can't be that hard.

 

[He Who Points And Laughs]

With all those stupid systray apps talking to the driver that let you control your RGB lights or whatever and send out all your information to the internet, it can't be that hard.

Well, it's not as easy as just putting ' OR '1 '='1 into a poorly coded login utility.

 

[Agent Abe Caprine]

Built someone a computer with a Gigabyte motherboard. Might need to give their system a check up.

This is why I only update drivers when it's needed.

 

[Null]

this is good, gets more people in the bitcoin ecosystem

 

[byuu]

This is why I only update drivers when it's needed.

So vulnerabilities never get patched, even when the manufacturer doesn't fuck up the update?

 

[Agent Abe Caprine]

So vulnerabilities never get patched, even when the manufacturer doesn't fuck up the update?

They would go under needed.

 

[DragoonSierra]

this is good, gets more people in the bitcoin ecosystem

How so?

 

[TwinkLover6969]

I'm surprised that doesn't happen more often.
Drivers are notoriously badly programmed without any regard to security and usually run in Ring 0.

There are a large number of vulnerable drivers out there, you just havent heard of them

NVD - CVE-2017-9769

nvd.nist.gov

NVD - CVE-2017-15303

nvd.nist.gov

NVD - CVE-2020-8808

nvd.nist.gov

 

[Blood Bath & Beyond]

It's a windows driver. Your Plan9 laptop is fine.

No, it's a Gigabyte driver and isn't typically installed on the standard Windows OS unless using Gigabyte hardware. It likely doesn't affect the vast majority of people.

 

[He Who Points And Laughs]

No, it's a Gigabyte driver and isn't typically installed on the standard Windows OS unless using Gigabyte hardware. It likely doesn't affect the vast majority of people.

No shit. I thought that was pretty obvious.

 

[Blood Bath & Beyond]

No shit. I thought that was pretty obvious.

Well it didn't seem that you knew it was obvious when you said, literally, "It's a windows driver. Your Plan9 laptop is fine.".

 

[He Who Points And Laughs]

Well it didn't seem that you knew it was obvious when you said, literally, "It's a windows driver. Your Plan9 laptop is fine.".

I linked TFA. I archived TFA and linked that to the OP as well. I summarized TFA into 3 sentences which explain it.

It is a Windows driver.

 

[Blood Bath & Beyond]

It's not a Windows driver. It's a Gigabyte driver FOR Windows. There is a difference you moron. One would be on all copies of Windows for all people, the other is only on computers with Windows AND with Gigabyte hardware. For instance, my computer, with Windows, does not have a Gigabyte motherboard, hence IT DOESN'T HAVE THE DRIVER. Is this still too complicated for you to follow?

 

[teriyakiburns]

It's not a Windows driver. It's a Gigabyte driver FOR Windows. There is a difference you moron. One would be on all copies of Windows for all people, the other is only on computers with Windows AND with Gigabyte hardware. For instance, my computer, with Windows, does not have a Gigabyte motherboard, hence IT DOESN'T HAVE THE DRIVER. Is this still too complicated for you to follow?

The question was whether it affects other operating systems than windows. The answer was no, because it's a driver for windows, you utter tard. Learn to read before spouting off next time.

Besides, the virus is installing the driver as part of its infection process. No gigabyte hardware needed.

 

[Blood Bath & Beyond]

The question was whether it affects other operating systems than windows. The answer was no, because it's a driver for windows, you utter tard. Learn to read before spouting off next time.

Besides, the virus is installing the driver as part of its infection process. No gigabyte hardware needed.

That actually WASN'T the question, moron. This was the question: "Who is this a threat to? Everyone? Just Windows users?" To which the correct answer would have been "Anyone on Windows who has a Gigabyte motherboard." How the fuck are you seriously this dense? You really might want to get your sight checked out and at the very least brush up on those reading comprehension skills. Also, no one is magically voodooing the drivers onto your computer, the only people who would be coming into contact with the driver in question is people with Gigabyte hardware or people whose security is already compromised.