Installing gaming drivers might leave your PC vulnerable to cyberattacks
Vulnerabilities in signed drivers provide an unguarded gateway to Windows' core
If you're using cheat programs when playing games on PC, you could be putting your computer at risk as vulnerabilities in signed drivers are most commonly used by game cheat developers to circumvent anti-cheat mechanisms.
However, they have also been observed being used by several advanced persistent threat (APT) groups according to a new report from ESET. The internet security company recently took a deep dive into the types of vulnerabilities that commonly occur in kernel drivers and it even found several vulnerable drivers in popular gaming software at the same time.
Unsigned drivers or those with vulnerabilities can often become an unguarded gateway to Windows' core for malicious actors. While directly loading a malicious, unsigned driver is no longer possible in Windows 11 and Windows 10 and rootkits are considered to be a thing of the past, there are still ways to load malicious code into the Windows' kernel especially by abusing legitimate, signed drivers.
In fact, there are many drivers from hardware and software vendors that offer functionality to fully access the kernel with minimal effort. During its research, ESET found vulnerabilities in AMD's μProf profile software, the popular benchmarking tool Passmark and the system utility PC Analyser. Thankfully though, the developers of all of the affected programs have since released patches to fix these vulnerabilities after ESET contacted them.
Bring Your Own Vulnerable Driver
A common technique used by cybercriminals and threat actors use to run malicious code in the Windows Kernel is known as Bring Your Own Vulnerable Driver (BYOVD). Senior malware researcher at ESET, Peter Kálnai provided further details on this technique in a press release, saying:
“When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so. This technique is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been observed being used in the wild by both high-profile APT actors and in commodity malware.”
Examples of malicious actors using BYOVD include the Slingshot APT group which implemented their main module Cahnadr as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers as well as the InvisiMole APT group which ESET researchers discovered back in 2018. The RobinHood ransomware is yet another example that leverages a vulnerable GIGABYTE motherboard driver to disable driver signature enforcement and install its own malicious driver.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In a lengthy blog post accompanying its press release, ESET explained that virtualization-based security, certificate revocation and driver blocklisting are all useful mitigation techniques for those worried about the dangers posed by signed kernel drivers that have been hijacked by malicious actors.
We've also highlighted the best malware removal software, best endpoint protection software and best antivirus
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.