Over the past 15 years, Microsoft has made huge progress fortifying the Windows kernel, the core of the OS that hackers must control to successfully take control of a computer. A cornerstone of that progress was the enactment of strict new restrictions on the loading of system drivers that could run in kernel mode. These drivers are crucial for computers to work with printers and other peripherals, but they’re also a convenient inroad that hackers can take to allow their malware to gain unfettered access to the most sensitive parts of Windows. With the advent of Windows Vista, all such drivers could only be loaded after they’d been approved in advance by Microsoft and then digitally signed to verify they were safe.
Last week, researchers from security firm ESET revealed that about a year ago, Lazarus, a hacking group backed by the North Korean government, exploited a mile-wide loophole last year that existed in Microsoft’s driver signature enforcement (DSE) from the start. The malicious documents Lazarus was able to trick targets into opening were able to gain administrative control of the target’s computer, but Windows’ modern kernel protections presented a formidable obstacle for Lazarus to achieve its objective of storming the kernel.
Path of least resistance
So Lazarus chose one of the oldest moves in the Windows exploitation playbook—a technique known as BYOVD, short for bring your own vulnerable driver. Instead of finding and cultivating some exotic zero-day to pierce Windows kernel protections, Lazarus members simply used the admin access they already had to install a driver that had been digitally signed by Dell prior to the discovery last year of a critical vulnerability that could be exploited to gain kernel privileges.