The presentation discusses various techniques used by malicious drivers to evade detection and compromise systems, as well as the importance of analyzing and protecting against these techniques.
- Malicious drivers often use techniques such as hooking, encryption, and random driver selection to evade detection and compromise systems
- Patchguard can be used to protect against some of these techniques, but malicious drivers may also try to avoid touching protected areas
- Advanced malware may use techniques such as altering the MBR or hiding sectors to bypass security measures
- It is important for security professionals to be aware of these techniques and to analyze and protect against them
The presenter provides a real-life example of a system in Brazil that was not protected against BIOS writing, allowing anyone to write malicious code to the BIOS. This highlights the importance of understanding and protecting against these techniques to prevent system compromise.
Advanced malware such as TDL4, Rovnix, Gapz, Omasco, Mebromi and others have exposed in recent years various techniques used to circumvent the usual defenses and have shown how much companies are not prepared to deal with these sophisticated threats. Although the industry has implemented new protections such as Virtualized Based Security, Windows SMM Security Mitigation Table (WSMT), Kernel Code Signing, HVCI, ELAM, Secure Boot, Boot Guard, BIOS Guard, and many others, it is still unknown the professionals of the architecture of these protections, what are the components attacked by these contemporary malwares in the context of BIOS / UEFI and what are the tricks used by them. Precisely because of the lack of adequate understanding, most machines (BIOS / UEFI + operating system) remain vulnerable in the same way as a few years ago. In addition, there are a growing number of malwares that have used kernel drivers to circumvent limitations and protections in order to gain full access to the operating system and data. Exactly for these reasons, it is necessary to understand the way that malwares act as device drivers and what are the mechanisms used by these threats to infect an operating system. The purpose of this presentation is to show clearly and without too much details that often hinders understanding, how these threats act, which components are attacked, what are the techniques used by these advanced malware to subvert the system and how existing protections work .