Windows 10: Malware found in over 100 signed Windows drivers

Yesterday's security updates for Windows and other Microsoft products came with an advisory regarding the malicious use of Microsoft signed drivers.

Security researchers at Sophos, Trend Micro and Cisco informed Microsoft about malware in signed drivers in February 2023. The researchers discovered that drivers "certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity".

The researchers identified 133 different drivers, the majority certified, by multiple developer accounts and reported their findings to Microsoft. Some of the signed drivers date back to April 2021 according to Sophos.

Microsoft is blocking the malicious drivers and has closed the responsible developer accounts. The drivers have been put on the Windows Driver.STL revocation list; this list prevents them from being loaded on Windows devices. The revocation list ships with Windows and is updated regularly via Windows Update. Microsoft notes that the list is not part of Windows and that it can't be disabled, removed or manipulated.

Windows administrators should make sure that the latest Windows updates are installed and that third-party security software is up to date as well. Administrators should run offline scans on their devices to detect malicious drivers that were installed before March 2, 2023. Sophos has published hashes of the malicious drivers on GitHub.

Other Microsoft services, including Microsoft 365, Azure or Xbox are not affected by the issue according to Microsoft's advisory.

Microsoft introduced a policy in Windows 10 version 1607 that required a valid digital signature for kernel drivers. Windows systems with Secure Boot enabled load only these drivers and refuse to load any drivers not digitally signed.

Sophos notes that several of the digital certificates appear to have their origin in China, which it bases on the company names associated with the certificates.

Sophos researchers discovered two main types of drivers. Some fell into the "Endpoint protection killer" category, which were similar to maliciously signed drivers discovered in 2022. Others had rootkit-like capabilities and were designed to run silently in the background.

These drivers could only be installed by accounts with elevated rights. The rootkit drivers had network monitoring capabilities using the Windows Filtering Platform. It allowed the malicious actor to monitor incoming and outgoing Internet traffic.

At least some of the rootkits belong to known Windows rootkit families according to Sophos' analysis and many included command-and-control server functionality, which gave the malicious actor even more control over infected devices.

All malicious drivers that Sophos reported to Microsoft have been invalidated and revoked by Microsoft as of July 11, 2023. Microsoft Defender 1.391.3822.0 and newer versions of the built-in security tool detect the malicious drivers as well.

Thank you for being a Ghacks reader. The post Malware found in over 100 signed Windows drivers appeared first on gHacks Technology News.

read more...

 

Unlocked Realtek HD Audio Drivers Windows 7 & 8 (With Dolby Digital Live and DTS Interactive)

DTS supported natively by Windows 8/8.1 and it should work on windows 10 too just DDL require to unlock your driver .

 

Best method to disable Vista/Vista 64 driver signing?

Black Ice:

It's not a matter of "try". The bcdedit command is not fully consistent and reliable for some folks.

So far, to me, it seems the third choice always locks (disables) the driver signing. If that is the case for anyone who uses it, then that would suggest it is the more reliable and consistent method of the ones I've listed, anyway.

Thanks for your feedback.

 

Windows 10, 100% disk usage

Hi Eric,

Sometimes your computer could run very slow even though you have only very few programs running. Since you're having issue with your 100% disk usage, it is always suggested that you keep your device drivers updated to eliminate the possibility of such problems.

Let us walk you through some steps that may help us resolve your issue. Follow the steps below:

Step 1:
Update device drivers.

This will help us remove/delete any corrupted data and issues with the PC hardware and make their operations work.

Step 2: Disable Antivirus Software and Windows Defender.

If you have installed antivirus or anti-malware programs such as Norton, Kaspersky, AVG, or Malwarebytes, it is suggested that you turn them off or disable them temporary to see if the disk usage could be back to normal. If the antivirus or anti-malware
software is at fault, we suggest that you consult the software manufacturers to see if they can provide some help.

Hope the above information helps.