- Joined
- Mar 4, 2019
Ransomware installs Gigabyte driver to kill antivirus products
- Thread starter He Who Points And Laughs
- Start date
- Joined
- Mar 21, 2019
- Joined
- Nov 21, 2019
That's not the correct answer you dumb fuck.
- Ransomware gang gets a foothold on a victim's network.
- Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
- Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
- Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
- Hackers install a malicious kernel driver named RBNL.SYS.
- Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
- Hackers execute the RobbinHood ransomware and encrypt the victim's files.
- Joined
- Mar 15, 2019
- Joined
- Mar 15, 2019
One does not actually need to have the actual hardware for forcing a driver installation on Windows, it just needs to be correctly signed with a trusted certificate. Now, that it has been done once, expect attackers to troll through thousands of still trusted hardware drivers for devices not even in production or out of support with similar vulnerabilities.
So no, the attack does not rely on you having a Gigabyte mobo, Gigabyte mobo owners may be even better off, since attacker has to do an extra step for downgrading the current driver without the vulnerability.
- Joined
- Mar 4, 2019
Yes. It's right there in the post that asked the question, you fucking mong.
Barry Scott
kiwifarms.net
- Joined
- Sep 8, 2019
This is the most autistic argument I've seen in a long time.
- Joined
- Jan 28, 2018
- Joined
- Jul 23, 2016
You're too old to even run affected Windows platforms at that point.
- Joined
- Sep 18, 2017
You exceptional ignoramus.
Indeed. This kid has no idea WTF is going on and assumes that the people who actually DO understand are misleading others. Total sped.
Last edited:
- Joined
- Apr 11, 2019
The malware installs the driver you belligerent sped. You don't need to have it installed already, you don't even need to have Gigabyte hardware, the vulnerable driver is packed into the executable so that it can be dropped and manually installed when the executable runs. Here, see for yourself:
The fact that you think manually installing a digitally signed driver from a trusted vendor on a compromised system is "magical voodoo" is a testament to your ignorance and illiteracy. No shit it only works on compromised systems — the article says as much, and the fact that it's a privilege escalation attack would make it obvious even if it wasn't stated. They need to have the privileges to install a driver for their driver-based exploit to work.
It's a threat to anyone who's running Windows regardless of their hardware because it allows the attacker to turn a basic bitch user mode compromise into a full-on kernel mode assfucking. It lets them disable security products at a deeper level than most endpoint solutions can detect or prevent. It's the Terry A. Davis of compromises: it runs in ring 0 and beats the nigger because he thinks GDRV.SYS is real mode.
It's been fun watching you embarrass yourself by bringing a baby carrot to a dick measuring contest, but if I was you I'd take this as a sign to pull my pants back up and go do some more reading.
- Joined
- Sep 18, 2017
Blood Bath & Beyond
You might want to look into getting some training before arguing about technology you do not understand.
You might want to look into getting some training before arguing about technology you do not understand.
- Joined
- Dec 28, 2014
Serves them right for running Satanic code in Ring 0 where God intended only the holiest of code to run.
- Joined
- Mar 21, 2019
I didn't say it required the user to have the Gigabyte mobo, I said that the only people who would be installing the driver would be people with a Gigabyte mobo or people whose systems are already compromised. You can't driveby install a driver into someones system without them at least approving of it. Microsoft isn't pushing the driver to anyone in an update or anything like that either. I'm really not sure
Last edited:
- Joined
- Jun 24, 2019
I'm not sure if this is correct, but the virus might be exploiting that the bad driver is still signed to install it and use it as a backdoor.
- Joined
- Mar 4, 2019
It's not correct, and that's exactly what's going on. Driver installs don't necessarily require user permission when they're appropriate signed, but eveni f they do, it's easy enough to disguise that permission behind an innocuous dialogue. This is partially the result of the way that windows handles privilege elevation for certain tasks via UAC dialogues, which have been routinely and rightly criticised for creating dialogue fatigue in users, resulting in them okaying anything that pops up so they can keep on doing what they were doing, rather than paying attention the questions that the OS is asking and taking appropriate action.
What the mong doesn't understand is that computer virus infection is mostly an exercise in social engineering to get to the point where an exploit is possible. Most infections occur as the result of people being engineered into clicking things they shouldn't click. Getting them to okay the installation of a driver is child's play.
And it's still a windows driver.
- Joined
- Mar 21, 2019
The only people who would be seeking out the driver and who would most likely have a chance of interaction with it would be those who have Gigabyte hardware. Other than that if you're downloading random shit and you so happen to install malware and this particular driver is packaged with it, then that is because you are an idiot. Yes, I know that in the most general sense Windows is vulnerable to this attack and the driver could be packaged with some other executable, but the point is that the vast majority of people would never encounter it and the people most likely to encounter it would be people with Gigabyte hardware. People just generally being retarded and not practicing common sense internet safety are not what I am referring to, because in that particular case, the specific vector of attack is unimportant, they could be compromised with a million different fake or faulty software, drivers, whatever. The people who are vulnerable to this aren't "Windows users" the people who are vulnerable are idiots or people with Gigabyte hardware. Maybe I am the fucking mong here, but this is a clear distinction in my mind.
Edit: I get why you all think I'm a idiot now and I guess I sort of agree. I think we were arguing two separate things and I was being completely oblivious to that while you all were not. Please rate autistic.
Edit: I get why you all think I'm a idiot now and I guess I sort of agree. I think we were arguing two separate things and I was being completely oblivious to that while you all were not. Please rate autistic.
Last edited:
- Joined
- Sep 17, 2019
C'mon bro, don't do this
Living off another land: Ransomware borrows vulnerable driver to remove security software
Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted c…
news.sophos.com
EDIT: Just saw your edit now. No worries!
- Joined
- Mar 21, 2019
I already realized the error of my ways and edited my post to reflect that.
- Joined
- Feb 13, 2020
There's also Capcom and Intel drivers that are used to gain kernel access pretty easily.
Usually they're used for bypassing anticheats, never thought of using it for malware.
Usually they're used for bypassing anticheats, never thought of using it for malware.
kdmapper - manual map your driver using a vulnerable driver by Intel
So, this driver (iqvw64e.sys) comes as part of Intel LAN drivers and it allows to copy, read and write user/kernel memory, map physical memory and per...
www.unknowncheats.me
Capcom.sys + Usage example
I haven't seen this posted anywhere around here, so I might as well do it. Download for the driver at the bottom of the post. Background: On the PC ve...
www.unknowncheats.me