Malware with faked timestamps on the rise to bypass Windows protections
Microsoft banned more 100 signed malicious Windows drivers just last week after it was informed that malicious actors had joined the company's Windows Hardware Developer Program to create signed drivers with malware.
Security researchers at Cisco Talos Intelligence have now pointed out another threat related to drivers on Windows.
Microsoft implemented additional security in several versions of its Windows operating system to prevent the loading of malicious or problematic drivers on Windows devices. Windows Vista required kernel-mode drivers to be signed digitally with a certificate from a verified certificate authority.
Kernel-mode drivers are loaded at an early stage, which gives them a lot of control over the system in question. The signature enforcement was a major gamechanger for Windows security.
Windows 10 version 1607 introduced an updated driver signing policy. The main change required that developers had to submit kernel-mode drivers to get them signed by Microsoft's Developer Portal. This change was designed to limit malicious actors further and to make sure that drivers met requirements and security standards.
Microsoft created three exceptions to the new policy, including that the new policy does not apply to a PC that was upgraded from an earlier version of Windows to Windows 10 version 1607, and that it does not apply on PCs with Secure Boot set to off.
The third exception allows drivers to be signed with "end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA"; this third exception creates a loophole, according to Cisco.
Malicious actors have started to exploit this loophole to deploy malicious drivers without submission to Microsoft. Talos Intelligence claims that this loophole has been used to create "thousands of malicious, signed drivers" using tools that forge the signature timestamp.
Cisco recommends to block the certificates that it mentioned in the blog post. The certificates mentioned in the blog post are the following ones:
???????????? (Beijing Shihai Trading Co Ltd)
- Beijing JoinHope Image Technology Ltd.
- Shenzhen Luyoudashi Technology Co., Ltd.
- Jiangsu innovation safety assessment Co., Ltd.
- Baoji zhihengtaiye co.,ltd
- Zhuhai liancheng Technology Co., Ltd.
- Fuqing Yuntan Network Tech Co.,Ltd.
- Beijing Chunbai Technology Development Co., Ltd
- ?? ?
- NHN USA Inc.
- Open Source Developer, William Zoltan
- Luca Marcone
- HT Srl
The security researchers analyzed 300 malicious samples and discovered that about half used a language code. The majority of samples with language code were set to Chinese (Simplified).
Cisco notes that Microsoft has blocked the certificates mentioned in the blog post as a response.