First off this week, a ransomware named Robinhood has a novel trick up its sleeve. The trick? Loading an old known-vulnerable signed driver, and then using a vulnerability in that driver to get a malicious kernel driver loaded.
A Gigabyte driver unintentionally exposed an interface that allows unfettered kernel level read and write access. Because it’s properly signed, Windows will happily load the driver. The ransomware code uses that interface to turn off the bit that enforces the loading of signed drivers only. From there, loading a malicious driver is trivial. Robinhood uses it’s kernel-level access to disable anti-virus applications before launching the data encryption.
This is a striking example of the weakness of binary signing without a mechanism to revoke those signatures. In an ideal world, once the vulnerability was found and an update released, the older, vulnerable driver would have its signature revoked.
The last Windows 7 Update For Real This Time, Maybe
More news in the ongoing saga of Windows 7/Server 2008 reaching end-of-life. KB4539602 was released this patch Tuesday, fixing the black background problem introduced in the last “final” round of updates. Surely that’s the last we’ll hear of this saga, right?
The unarguable benefits of digital photography has rendered the analog SLR obsolete for most purposes. This means that a wide selection of cameras and lenses are available on the second hand market for pennies on the dollar, making them ripe targets for hacking. [drtonis] decided to experiment with a quick and easy digital conversion to an old Canon A-1, and it’s got us excited about the possibilities.
It’s a simple hack, but a fun one. The SLR is opened up, and the spring plate for holding the film is removed. A Raspberry Pi camera then has its original lens removed, and is placed inside the film compartment. It’s held in with electrical tape, upon a 3mm shim to space it correctly to work with the original optics.
[drtonis] notes that the build isn’t perfect, with some aberration likely caused by the reflective electrical tape in the film cavity. However, we think it’s a nice proof of concept that could go so much further. A Raspberry Pi Zero could be easily squeezed inside along with the camera, and everything glued in place to make things more robust. A specialist paint such as Stuart Semple’s Black 2.0 could also help cut down on light leaks inside. Plus, there’s plenty of small screens that can be used with the Raspberry Pi that would provide a useful preview function.
Address Space Layout Randomization or ASLR is an important defense mechanism that can mitigate known and, most importantly, unknown security flaws. ASLR makes it harder for a malicious program to compromise a system by, as the name implies, randomizing the process addresses when the main program is launched. This means that it is unlikely to reliably jump to a particular exploited function in memory or some piece of shellcode planted by an attacker.
ASLR have been broken before in some particular scenarios but this new attack highlights a more profound problem. Since it exploits the way that the memory management unit (MMU) of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks, this means that the flaw is in the hardware itself, not the software that is running. There are some steps that the software vendors can take to try to mitigate this issue but a full and proper fix will mean replacing or upgrading hardware itself.
In their paper, researchers reached a dramatic conclusion: