Ransomware installs Gigabyte driver to kill antivirus products -

teriyakiburns

Nothing like waiting till the last minute, huh?
kiwifarms.net
That actually WASN'T the question, moron. This was the question - "Who is this a threat to? Everyone? Just Windows users?" To which the correct answer would have been "Anyone on Windows who has a Gigabyte motherboard." How the fuck are you seriously this dense? You really might want to get your sight checked out and at the very least brush up on those reading comprehension skills.
But does that exclude other OS from vulnerability?
 

TwinkLover6969

kiwifarms.net
That actually WASN'T the question, moron. This was the question: "Who is this a threat to? Everyone? Just Windows users?" To which the correct answer would have been "Anyone on Windows who has a Gigabyte motherboard." How the fuck are you seriously this dense? You really might want to get your sight checked out and at the very least brush up on those reading comprehension skills. Also, no one is magically voodooing the drivers onto your computer, the only people who would be coming into contact with the driver in question is people with Gigabyte hardware or people whose security is already compromised.
That's not the correct answer you dumb fuck.

  1. Ransomware gang gets a foothold on a victim's network.
  2. Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
  3. Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
  4. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
  5. Hackers install a malicious kernel driver named RBNL.SYS.
  6. Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
  7. Hackers execute the RobbinHood ransomware and encrypt the victim's files.
Can you fucking read?
 

DidYouJustSayThat

Eat the bat soup, bigot.
kiwifarms.net
That actually WASN'T the question, moron. This was the question: "Who is this a threat to? Everyone? Just Windows users?" To which the correct answer would have been "Anyone on Windows who has a Gigabyte motherboard." How the fuck are you seriously this dense? You really might want to get your sight checked out and at the very least brush up on those reading comprehension skills. Also, no one is magically voodooing the drivers onto your computer, the only people who would be coming into contact with the driver in question is people with Gigabyte hardware or people whose security is already compromised.
One does not actually need to have the actual hardware for forcing a driver installation on Windows, it just needs to be correctly signed with a trusted certificate. Now, that it has been done once, expect attackers to troll through thousands of still trusted hardware drivers for devices not even in production or out of support with similar vulnerabilities.
So no, the attack does not rely on you having a Gigabyte mobo, Gigabyte mobo owners may be even better off, since attacker has to do an extra step for downgrading the current driver without the vulnerability.
 

He Who Points And Laughs

Flavortown Refugee
kiwifarms.net
Last edited:

Spedestrian

Based and Scrabblepilled
True & Honest Fan
kiwifarms.net
It's not a Windows driver. It's a Gigabyte driver FOR Windows. There is a difference you moron. One would be on all copies of Windows for all people, the other is only on computers with Windows AND with Gigabyte hardware. For instance, my computer, with Windows, does not have a Gigabyte motherboard, hence IT DOESN'T HAVE THE DRIVER. Is this still too complicated for you to follow?
The malware installs the driver you belligerent sped. You don't need to have it installed already, you don't even need to have Gigabyte hardware, the vulnerable driver is packed into the executable so that it can be dropped and manually installed when the executable runs. Here, see for yourself:


That actually WASN'T the question, moron. This was the question: "Who is this a threat to? Everyone? Just Windows users?" To which the correct answer would have been "Anyone on Windows who has a Gigabyte motherboard." How the fuck are you seriously this dense? You really might want to get your sight checked out and at the very least brush up on those reading comprehension skills. Also, no one is magically voodooing the drivers onto your computer, the only people who would be coming into contact with the driver in question is people with Gigabyte hardware or people whose security is already compromised.
The fact that you think manually installing a digitally signed driver from a trusted vendor on a compromised system is "magical voodoo" is a testament to your ignorance and illiteracy. No shit it only works on compromised systems — the article says as much, and the fact that it's a privilege escalation attack would make it obvious even if it wasn't stated. They need to have the privileges to install a driver for their driver-based exploit to work.

It's a threat to anyone who's running Windows regardless of their hardware because it allows the attacker to turn a basic bitch user mode compromise into a full-on kernel mode assfucking. It lets them disable security products at a deeper level than most endpoint solutions can detect or prevent. It's the Terry A. Davis of compromises: it runs in ring 0 and beats the nigga because he thinks GDRV.SYS is real mode.

It's been fun watching you embarrass yourself by bringing a baby carrot to a dick measuring contest, but if I was you I'd take this as a sign to pull my pants back up and go do some more reading.
 

Blood Bath & Beyond

Proud Cracker
kiwifarms.net
One does not actually need to have the actual hardware for forcing a driver installation on Windows, it just needs to be correctly signed with a trusted certificate. Now, that it has been done once, expect attackers to troll through thousands of still trusted hardware drivers for devices not even in production or out of support with similar vulnerabilities.
So no, the attack does not rely on you having a Gigabyte mobo, Gigabyte mobo owners may be even better off, since attacker has to do an extra step for downgrading the current driver without the vulnerability.
I didn't say it required the user to have the Gigabyte mobo, I said that the only people who would be installing the driver would be people with a Gigabyte mobo or people whose systems are already compromised. You can't driveby install a driver into someones system without them at least approving of it. Microsoft isn't pushing the driver to anyone in an update or anything like that either. I'm really not sure how it came to be that this many people in the thread lack the most basic reading comprehension skills or knowledge about how computers, the internet and viruses work when I became autistic, but well here you have it.
 
Last edited:
  • Autistic
Reactions: AnOminous

Vecr

"nanoposts with 90° spatial rotational symmetries"
kiwifarms.net
I didn't say it required the user to have the Gigabyte mobo, I said that the only people who would be installing the driver would be people with a Gigabyte mobo or people whose systems are already compromised. You can't driveby install a driver into someones system without them at least approving of it. Microsoft isn't pushing the driver to anyone in an update or anything like that either. I'm really not sure how it came to be that this many people in the thread lack the most basic reading comprehension skills or knowledge about how computers, the internet and viruses work, but well here you have it.
I'm not sure if this is correct, but the virus might be exploiting that the bad driver is still signed to install it and use it as a backdoor.
 

teriyakiburns

Nothing like waiting till the last minute, huh?
kiwifarms.net
I'm not sure if this is correct, but the virus might be exploiting that the bad driver is still signed to install it and use it as a backdoor.
It's not correct, and that's exactly what's going on. Driver installs don't necessarily require user permission when they're appropriate signed, but eveni f they do, it's easy enough to disguise that permission behind an innocuous dialogue. This is partially the result of the way that windows handles privilege elevation for certain tasks via UAC dialogues, which have been routinely and rightly criticised for creating dialogue fatigue in users, resulting in them okaying anything that pops up so they can keep on doing what they were doing, rather than paying attention the questions that the OS is asking and taking appropriate action.

What the mong doesn't understand is that computer virus infection is mostly an exercise in social engineering to get to the point where an exploit is possible. Most infections occur as the result of people being engineered into clicking things they shouldn't click. Getting them to okay the installation of a driver is child's play.

And it's still a windows driver.
 
  • Like
  • Agree
Reactions: Yotsubaaa and Vecr

Blood Bath & Beyond

Proud Cracker
kiwifarms.net
The only people who would be seeking out the driver and who would most likely have a chance of interaction with it would be those who have Gigabyte hardware. Other than that if you're downloading random shit and you so happen to install malware and this particular driver is packaged with it, then that is because you are an idiot. Yes, I know that in the most general sense Windows is vulnerable to this attack and the driver could be packaged with some other executable, but the point is that the vast majority of people would never encounter it and the people most likely to encounter it would be people with Gigabyte hardware. People just generally being exceptional and not practicing common sense internet safety are not what I am referring to, because in that particular case, the specific vector of attack is unimportant, they could be compromised with a million different fake or faulty software, drivers, whatever. The people who are vulnerable to this aren't "Windows users" the people who are vulnerable are idiots or people with Gigabyte hardware. Maybe I am the fucking mong here, but this is a clear distinction in my mind.

Edit: I get why you all think I'm a idiot now and I guess I sort of agree. I think we were arguing two separate things and I was being completely oblivious to that while you all were not. Please rate autistic.
 
Last edited:

Yotsubaaa

True & Honest Fan
kiwifarms.net
The only people who would be seeking out the driver and who would most likely have a chance of interaction with it would be those who have Gigabyte hardware. Other than that if you're downloading random shit and you so happen to install malware and this particular driver is packaged with it, then that is because you are an idiot. Yes, I know that in the most general sense Windows is vulnerable to this attack and the driver could be packaged with some other executable
C'mon bro, don't do this 😞

robnr.png


EDIT: Just saw your edit now. No worries!
 

God

Him, the Almighty Power
kiwifarms.net
There's also Capcom and Intel drivers that are used to gain kernel access pretty easily.
Usually they're used for bypassing anticheats, never thought of using it for malware.

 
Tags
None