Signed Windows Drivers Not A Surefire Protection

Signed Windows Drivers Not A Surefire Protection

In the past decade, hackers and malware engineers have used Windows drivers as an attack vector against the Windows operating system. By exploiting some weaknesses in the OS design, and other weaknesses in the implementation of Windows drivers, malware engineers have been able to defeat security measures designed to prevent or limit the damage a malware infection can do.

Windows 7 First To Require Signed Drivers

As one way to address this issue, Microsoft began to require the use of digitally signed drivers when it introduced Windows 7. A digitally signed driver identifies the author of the driver and generally “vouches” for the source code as being authentic. Sounds like a good way to ensure that only legitimate drivers are installed, but there are two ways around the signed driver issue.

First, users can load unsigned drivers but must agree to do this at boot time. This means each time the OS loads and encounters an unsigned driver, the user must authorize the installation of the unsigned driver. The boot process stops until the authorization is received. Naturally, this gets to be a pain pretty quickly, but it does draw attention to the fact that the user is authorizing potentially unsafe behavior.

There are also some “non-standard” ways to self-sign a driver that will satisfy the Windows UAC complaints regarding unsigned drivers, but we will not address that here. Again, the fact that a user “self-signs” the driver is a good indicator that the action is risky and should only be attempted if the driver software is known to be good, and has not been violated or corrupted by malware.

Second, malware engineers can “hijack” signed drivers, which is what’s happened in the case of Stuxnet. Stuxnet, as you recall, is a worm that uses a stolen driver authorization and has the ability to fool both system software and anti-virus software. The target of Stuxnet isn’t your PC at home, though this worm might indeed infect your computer. As of now, the true target of Stuxnet is thought to be major infrastructure systems like power plants and other industrial targets.

Don’t get too comfortable with Stuxnet, though. While your computer probably isn’t running a nuclear power plant or controlling traffic lights, Stuxnet is also a “proof-of-concept” for other malware authors who have a different set of goals in mind for your unused processor cycles. The issue of stolen driver signatures must be addressed in current and future versions of Windows because clearly, relying on the presence or absence of a digital signature on a Windows driver is simply not enough.

Photo Credit: Nick Stenning, via Flickr