Malware with faked timestamps on the rise to bypass Windows protections
Microsoft banned more 100 signed malicious Windows drivers just last week after it was informed that malicious actors had joined the company's Windows Hardware Developer Program to create signed drivers with malware.
Security researchers at Cisco Talos Intelligence have now pointed out another threat related to drivers on Windows.
Microsoft implemented additional security in several versions of its Windows operating system to prevent the loading of malicious or problematic drivers on Windows devices. Windows Vista required kernel-mode drivers to be signed digitally with a certificate from a verified certificate authority.
Kernel-mode drivers are loaded at an early stage, which gives them a lot of control over the system in question. The signature enforcement was a major gamechanger for Windows security.
Windows 10 version 1607 introduced an updated driver signing policy. The main change required that developers had to submit kernel-mode drivers to get them signed by Microsoft's Developer Portal. This change was designed to limit malicious actors further and to make sure that drivers met requirements and security standards.
Microsoft created three exceptions to the new policy, including that the new policy does not apply to a PC that was upgraded from an earlier version of Windows to Windows 10 version 1607, and that it does not apply on PCs with Secure Boot set to off.
The third exception allows drivers to be signed with "end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA"; this third exception creates a loophole, according to Cisco.
Malicious actors have started to exploit this loophole to deploy malicious drivers without submission to Microsoft. Talos Intelligence claims that this loophole has been used to create "thousands of malicious, signed drivers" using tools that forge the signature timestamp.
Cisco recommends to block the certificates that it mentioned in the blog post. The certificates mentioned in the blog post are the following ones:
???????????? (Beijing Shihai Trading Co Ltd)
- Beijing JoinHope Image Technology Ltd.
- Shenzhen Luyoudashi Technology Co., Ltd.
- Jiangsu innovation safety assessment Co., Ltd.
- Baoji zhihengtaiye co.,ltd
- Zhuhai liancheng Technology Co., Ltd.
- Fuqing Yuntan Network Tech Co.,Ltd.
- Beijing Chunbai Technology Development Co., Ltd
- ????????????
- ?? ?
- NHN USA Inc.
- Open Source Developer, William Zoltan
- Luca Marcone
- HT Srl
The security researchers analyzed 300 malicious samples and discovered that about half used a language code. The majority of samples with language code were set to Chinese (Simplified).
Cisco notes that Microsoft has blocked the certificates mentioned in the blog post as a response.
Chinese malware everywhere around. :S
Martin, your copy-and-paste result is displaying a lot of weird question marks, e.g. in the list of Certificate names… Let’s see what happens, when I type the following:
“[…]绍兴易游网络科技有限公司 …”
“[…]善君 韦 …”
I would have thought this blog could handle the rendering of most simplified Chinese. We’ll find out shortly if you would please allow this post through the censors.
Hallowed be the memory of the Lost Souls.
Clearly the gHacks blog can display those Chinese characters as also seen on the quoted Cisco Talos threat advisory (see my prior post).
I wonder what program you are using for copy-and-pasting text into your articles. Because for you, it appears it’s failing to store that data correctly. When you are actually publishing the article text itself by using direct text input methods…
All those Chinese characters you tried to enter; erroneously got substituted as “?”, i.e.
U+003F
. For example, inputting “[…] 善君 韦 …” directly, wrongly appeared as “?? ?” when output.Thank you.