Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Malicious Device Drivers

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    206

    Malicious Device Drivers

    I've been reading about Windows lately, in particular about kernel mode and user mode. From what I understand, code running in kernel mode has access to just about any part of the operating system. Since device drivers run in kernel mode, what would stop someone from making a driver for, say, a usb flash drive and having it access the sam/syskey files to extract password hashes, and then paste them onto that very flash drive. Is there any built-in security to stop such things?
    It is better to die on your feet than to live on your knees.

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    what would stop someone from making a driver for, say, a usb flash drive and having it access the sam/syskey files to extract password hashes, and then paste them onto that very flash drive
    Well for one ... You'll have to be good in writing device drivers, so I don't see script kiddies writing anything like that soon. Also hackers will mostly use easier to exploit vulnerabilities.

    Unless you're talking about rootkits, you don't need to worry too much about kernel mode driver vulnerabilities ..."yet" ... It is a threat but most modern anti-virus programs and Intrusion dedection programs can handle the driver exlpoitation.

    Also ... The USB drivers run in user mode not in kernel mode, same goes for printers and I think graphics to, so the risk is much lower. (Does that count as built-in security ?)

    And you need to have local access if you want to insert a USB device in a computer and get the hashes or whatever... Or even run the driver for that matter... So ifthey can do that, your basic security isn't good to begin with

    Well that's my 2c. anyway ...

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Jareds411 , this is just my opinion, so it is probably worthless

    I think that you have a very good point there, however you would have to somehow persuade the victim to download and apply the driver from what must be an untrusted source?

    However, as a follow on from your thinking, suppose a viral type malware attached itself to a legitimate device driver?

    I think that the reality situation is that there are so many devices with so many different drivers that the total number of combinations is too large. Applications and operating systems are more consistent, so make a better target?

    I could see it as happening as some sort of "commercial terrorism" that attacked products of a particular company to undermine their market confidence?............. that could spawn some sort of internet blackmail scenario?............. corporate extortion or whatever you may like to call it?

    just a few thoughts..............

  4. #4
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797
    I had a HP all in one printer that had drivers and software that took over operation of my computer quite a few times before I removed them.

    Always looking for updates, changing assignments for program calls for various file extensions. I removed the TSR programs from my startups but every time I printed something they activated themselves and reintroduced themselves to my startup.

    Using SpyBot's Teacup program I started disallowing them but finally I said chuck it and I bought another printer.

    If that wasn't commercial malware, what would you call it. It's the last HP product I'll buy.
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Unless you're talking about rootkits, you don't need to worry too much about kernel mode driver vulnerabilities ..."yet"
    I've been tracking malware trends and rootkit and ring zero DLL exploits are tracking upward. Scary.

    Just the other day I found a rootkit sitting behind the windows API. This one traced back to a malware site in India. It was a single purpose logger (looking for credit card number strings) which it then would pass the data back via its own SMTP engine one time every 5 minutes. Very sneaky. It also had a listener activated by a port knock. Obviously this wasn't the work of a kiddie.

    Using SpyBot's Teacup program I
    LOL. I think you mean TeaTimer.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    I've been tracking malware trends and rootkit and ring zero DLL exploits are tracking upward. Scary
    Yes I concur ...The rootkits are steadilly growing to become the biggest security risc ...If not so allready ..

    TH13 Do you have a resource which explain the ring zero DLL exploits more indepth ??

    Monitoring systems and networks will be more and more important ... reacting with speed on vulnerabilities and outbreaks ... What if a pc in the firm gets infected with a rootkit ...

    Anyway ...

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Most of what I know about ring 0 exploits is sittin in meh head. I should really document it.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Do I smell a tutorial potential

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    An area I see is "Un-Offical MS update sites",
    hmm just waht is in those thar hotfixes..
    so what you and your pc think are MS patches, could easily be a rootkit or similar..

    Not saying that these are all bogus, just be bloody careful ... and it is a vector..

    my 0.2c
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm..........................

    It was a single purpose logger (looking for credit card number strings) which it then would pass the data back via its own SMTP engine one time every 5 minutes
    A little while ago, when dinosaurs roamed the Earth, I worked on a retail EPOS system............ I have a proggy that generates fake CC numbers that pass the normal validation checks................. now if I were to find one of these "harvesters" and connect the two.................. I wonder how long it would be before they were doing serious bubba time?

    This is very moot under our laws............ it is not criminal, but I might get sued by a CC company...... they would have to prove that it was me though and explain how a fake number actually worked?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •