Windows Policy Loopholes

The MS Windows policy loophole, identified by Cisco Talos, allows threat actors to sign the malicious kernel mode drivers that are executed by the Windows OS. RedDriver malware poses a serious threat to the kernel mode drivers in comparison to user mode drivers.?

Severe threat associated to malicious kernel mode drivers

The kernel mode is more susceptible due to a number of reasons:

• It runs at lower level of OS that is difficult to detect in comparison to user mode applications?
• It is used for bypassing security parameters as they can directly access software and hardware components.?
• It is persistent and hence can be executed whenever the OS reboots.?
• It is used for embedding the functionalities of rootkit for hiding the presence of any malware existing in the system.?

Policy changes implemented by Windows

Some of the policy changes that have been brought about Windows Vista limit overall loading of the kernel mode drivers into OS. Also the modifications that have been introduced by Microsoft enable the developer to sign and review drivers through compliance of the esteemed Microsoft's portal.?

Some of the policy exceptions are as follows:

• Secure Boot is turned off in BIOS
• The PC is also upgraded from the previous release of Windows to the version 1607 of Windows 10.?
• Drivers are signed with the certificate of end entity which is issued before July 29th of 2015. This also includes a chain which is supported in the form of CA that is cross-signed.?

Chinese threat actors manipulate signing date for exploitation of third policy to gain leverage on open source tools such as:

• FuckCertVerifyTimeValidity (aka FuckCertVerify)
• HookSignTool

Loophole that is exploited?

For maintenance of overall compatibility and functionality of the older drivers, Microsoft has introduced some of the exceptions that include the following:

• FuckCertVerifyTimeValidity and HookSignTool help developers in exploiting the policy loopholes of Windows.?
• The tools utilize Microsoft Detours packages that are made in order to instrument and monitor API and its call on Windows for passing on custom time into the pTimeToVerify parameter. This allows the verification of invalid time and the detour is used for changing the timestamp of signing during the final execution.?
• RedDriver malware is the undocumented malicious file that is kernel mode driver, and once it is executed, it allows the browser to hijack on the basis of hardcorded browser list.

Recommendations:

Some of the recommendations that organizations need to follow in order to bypass the security policy loophole of Windows include the following:

• One needs to ensure that the Windows is installed with the latest updates and that it is a legitimate update.?
• One needs to ensure that endpoint detection and antivirus are updated as per latest signatures that are available.?
• The EDR and AV tools are to be configured properly.?
• In order to maintain optimal defense, the key security features of EDR and AV tools must be enabled.?