Black Hat 2018: Stealthy Kernel Attack Flies Under Windows Mitigation Radar

Discussion in 'other security issues & news' started by Minimalist, Aug 9, 2018.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,396
    Location:
    Slovenia
    https://threatpost.com/stealthy-new-kernel-attack-flies-under-windows-mitigation-radar/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,571
    Location:
    U.S.A.
    See here's the problem. Win 10 kernel driver protections are:

    1. Prevent the driver from getting installed.
    2. If somehow no. 1 can be bypassed, prevent the driver from loading at boot time if Secure Boot is enabled.

    The fact the driver can be directly loaded into memory on the fly via .Net should not surprise anyone.
    Windows always will be a POC(piece of crap) security wise. That fact is one of the "undisputable truths."
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,361
    Location:
    U.S.A. (South)
    That's being a little hard on those boys isn't it? :p

    Problem now as I personally see it is that even if Microsoft could, or would one day finally discover a better way to 100% prevent kernel poking like that, (minus new hardware), as it currently stands, the new techniques malware/hackers invent wouldn't even need to break kernel protection to fudge a Windows 10 unit good and proper. Is that so unusual? :isay:

    But back more on topic-that's a formidable move to have at disposal where they could 0wn the box and make hay any which way suits the plans. I remain solidly sold there should have been a Windows 9 to draw out all these sorts of (Ring0) kernel bugs/errors-and more, being raised and discovered on Windows 10 now. IMO sort of defeats the purpose of orderly sequence to skip-a-version while blowing the horn as the best and more secure when it's not there yet fully.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,571
    Location:
    U.S.A.
    BTW - Endgame has a couple of kernel mode breach mitigation tools called KASR and MARTA here: https://www.endgame.com/tools for those who like to "play."
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,682
    Location:
    The Netherlands
    M$ did do a lot to make Windows safer, to be fair. Because of PatchGuard and Driver Signature Enforcement you almost never hear of rootkit attacks anymore. And for this attack to succeed, you still need to be able to run a malicious process, but I would sure like to know which technique is used to load Turla Driver.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,682
    Location:
    The Netherlands
    I couldn't find any info about this, haven't they made it public yet? Normally, HIPS should always alert when certain API's are being used to load a driver, so I wonder how this could be done.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,571
    Location:
    U.S.A.
    I haven't seen a HIPS to date that monitors COM activity. Maybe @cruelsister can chime if Comodo's Defense+ does.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.