This article is more than 1 year old

Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks

Old Gigabyte code lets file-scrambling RobbinHood go undetected

A kernel-level Windows driver for old PC motherboards has been abused by criminals to silently disable antivirus protections, and hold files to ransom.

Sophos this month reported that an arbitrary read-write flaw in a digitally signed driver for now-deprecated Gigabyte hardware was recently used by ransomware, dubbed Robbinhood, to quietly switch off security safeguards on Windows 7, 8 and 10 machines.

The problem, said Sophos, is that while Gigabyte stopped supporting and shipping the driver a while back, the software's cryptographic signature is still valid. And so, when the ransomware infects a computer – either by some other exploit or by tricking a victim into running it – and loads the driver, the operating system and antivirus packages will allow it because the driver appears legit.

At that point, the ransomware exploits the security flaw in the Gigabyte driver to alter memory to bypass protection mechanisms and inject malicious code into kernel space, completely compromising the box and allowing the file-scrambling component to run unhindered.

"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos explains. "This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference."


WannaCry ransomware attack on NHS could have triggered NATO reaction, says German cybergeneral


Specifically, RobbinHood loads the Gigabyte driver, exploits the read-write hole to turn off code-signing checks, loads its own unsigned driver unobstructed, and then instructs it to kill off the processes and files of antivirus products, including their kernel drivers. RobbinHood requires administrator access to load the vulnerable motherboard driver in the first place, so you may be thinking what's the point of all of this: if you're a miscreant with admin access, you can do anything you like.

However, the aim appears to be the silent killing of any anti-malware products that would block the malicious unsigned driver loading and/or the file-scrambling process, all without alerting any users.

After their files are scrambled, victims can either pay to retrieve their files or hope to restore from a previous good backup. In the case of Robbinhood, those infected have included the cities of Baltimore, MD and Greenville, NC, in the US.

Because the malware can download and run its own signed yet vulnerable copy of the software, patching the driver won't guarantee safety. Instead, Sophos recommends admins limit who has superuser access, layer security protections to minimize the spread of malware and its damaging effects, enforce best practices with passwords and multi-factor authentication, and educate users so that the trojan can't get a foothold on their machines in the first place. Plus the usual drum beat of patching and keeping antivirus up to date.

We'll let you know if Digicert, which now owns the outfit that signed the driver for Gigabyte, has any comment or has revoked the software's digital certificate to prevent it from running. ®

More about


Send us news

Other stories you might like