For years, Microsoft has battled with unsigned Windows drivers. By requiring driver authors to sign their products, Microsoft reasoned, the products would be better and more secure. With Windows 7, an unsigned driver can be loaded, but it must be authorized manually each time the computer starts up – a major negative for most users.

Hijacked Windows Drivers Pose New Headache

Examine my last statement carefully; if an unsigned driver will hang up the boot process, then conversely, the Windows 7 OS will swallow a signed driver whole. And therein lies an entirely new problem for Microsoft. Signed drivers are being stolen, hijacked, and commandeered by malware like Zeus Trojan and Stuxnet. A compromised (yet duly signed) driver can be used to deliver a nasty malware payload, and malware authors are doing just that.

Stuxnet is using stolen drivers from RealTek and JMicron. Zeus Trojan is using an expired driver –originally used to kill Zeus – from Kaspersky Labs to launch itself. What’s the difference? The stolen Stuxnet driver was actually generated using stolen information from RealTek and JMicron. Essentially, it’s a form of identity theft. In the Zeus Trojan case, expired information was copied and pasted into the malware code. Windows does question the user about the expired driver, but gives the ability for the user to authorize its use anyway.

Security experts say that using expired certificates as malware cover affects not just operating systems like Windows, but also browser security. Who hasn’t encountered an expired certificate when accessing a secure Web site?

What’s the solution? Experts disagree, but some of the proposed workarounds include the refusal to accept expired certificates rather than leaving that up to the user. Most users, experts reason, don’t have the tools and/or experience to differentiate an expired certificate from a legitimate company from an expired certificate that’s been hijacked to deliver malware to an unsuspecting target.

Are we likely to see a movement away from certificates? Probably not, but we will likely see a tougher approach to the issuance of certificates, meaning more security when certificates are issued and more care being taken to protect digital signatures for authors that issue them. Standards organizations may also revisit the way expired certificates are identified, and perhaps we’ll see some tools designed to help verify the authenticity of a certificate that has expired, but may otherwise still be valid for use.

Photo Credit: Dullhunk. via Flickr