Gigabyte + Windows 7 8 & 10 Are At Risk!

[kyonides]

Ransomware installs Gigabyte driver
to kill antivirus products

It has been reported that a ransomware gang, those that encrypt your sensitive stuff and ask you for a fee to decrypt it (if they ever do it), has found another method to vulnerate your PC if your motherboard chipset belongs to Gigabyte.  Yes, it deactivates your Antivirus in no time.

https://www.zdnet.com/article/ransomware...-products/

In a report published late last night, Sophos described this new technique as follows:

1. Ransomware gang gets a foothold on a victim's network.
   
2. Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
   
3. Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
   
4. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
   
5. Hackers install a malicious kernel driver named RBNL.SYS.
   
6. Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
   
7. Hackers execute the RobbinHood ransomware and encrypt the victim's files.
   

Per Sophos, this antivirus bypassing technique works on Windows 7, Windows 8, and Windows 10.

Basically what it says is that they manage to connect to your home network (by hacking your WiFi or your router?) and then place a driver that impersonates the usual Gigabyte driver. Nope, it's not like they care about your security. They just know that driver so well as to send a few commands to force it to do their bidding! They deactivate Windows features and then it's free to install the real malware that might steal all of your precious moments captured with your camera or all those valuable documents and spreadsheets you had to submit by the end of the week. Antivirus get some serious sleep and after a while you'd get a request for making a payment. Usually they keep asking for more and more money for nothing in return.

For this debacle, two parties are at fault -- first Gigabyte, and then Verisign.

Gigabyte's fault resides in its unprofessional manner in which it dealt with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.

Now you know how exactly you've ended up fearing when that massive and terrible data loss might ever happen.

The company's downright refusal to recognize the vulnerability led the researchers who found the bug to publish public details about this bug, along with proof-of-concept code to reproduce the vulnerability. This public proof-of-concept code gave attackers a roadmap to exploiting the Gigabyte driver.

When public pressure was put on the company to fix the driver, Gigabyte instead chose to discontinue it, rather than releasing a patch.

Well, usually whenever a programmer demonstrates that some piece of code is vulnerable, the companies involved in that mess do something to remedy it... except for Gigabyte!  

Of course, hackers like those living in North Korea or Iran or probably China as well are now fully aware of this epic fail and can now target as many affected Gigabyte based PC's as possible.

Verisign, a company in charge of driver security certificates, could have invalidated the driver's certificate as a way to tell Windows it's unsafe... but they just ignored the issue as well.

Keep in mind there are other variants of this kind of cyber attack that may even reboot your PC to enter safe mode and make sure you can't run any antivirus software!  

What I'd usually recommend you here would be to do any of the following:

• Ditch Windows altogether and keep using Linux  
  
• Install Linux in a separate harddisk or disk partition and then install any antivirus available for Linux that you can run to get rid of any malicious software found in your Windows partition(s).
  

The following section applies only to other variants of this cyberattack

Sadly Houston, we got a problem here. AFAIK there's no antivirus that can check if your motherboard chips got compromised. You'd need to call a technician to flash your compromised chip, hoping it won't render your motherboard useless in case the flashing fails or keeps failing. If carefully done, it should usually work... Still, I can't guarantee that will be more than enough to get rid of the menace.

[MetalRenard]

My old PC uses a Gigabyte mobo and I haven't booted for 3 years now. It never managed to run Windows 10 (it would auto-corrupt every time I tried and microsoft couldn't fix it) so it's still on 7. I guess I'll have to update it if I ever use it again.

[DerVVulfman]

Dialup for the win!

[kyonides]

I'm sorry to tell you this, Wulfo, but your connection speed isn't a real advantage if it starts downloading the drivers while you're AFK.

[DerVVulfman]

Assuming you have GDRV.SYS, the hacker's back door into your system....
.... which I don't.

[kyonides]

O_o? I think you haven't read the part where they infiltrate your local network to install that GDRV.SYS driver on your PC... Even if you just use a dial up modem, how often has AOL updated its drivers? When was the last time they replaced the modem?

[DerVVulfman]

Ahh... I use a simple USB modem. And it cannot support Gigabyte. Research is fun.