The emergence of the BYOVD (Bring Your Own Vulnerable Driver) attack highlights a troubling vulnerability within legitimate signed drivers. This form of exploitation enables cybercriminals to execute code at the kernel level, evade detection by Microsoft Defender, and subsequently deploy ransomware. To safeguard your system, it’s imperative to implement the protective measures outlined in this guide.
Understanding the BYOVD Attack and Its Impact on Microsoft Defender
The BYOVD attack primarily utilizes the rwdrv.sys driver, which, while typically associated with legitimate applications such as Throttlestop or various fan control software, can be manipulated to gain unauthorized kernel access. Here’s a breakdown of the attack process:
- The attackers infiltrate the target PC, often through network compromises or by employing Remote Access Trojans (RATs).
- Once access is secured, they install the trusted rwdrv.sys driver.
- This driver is exploited to gain elevated privileges, allowing the installation of the malicious hlpdrv.sys driver.
- The hlpdrv.sys driver then alters Windows Registry settings, effectively disabling Microsoft Defender’s protective features.
- With these defenses bypassed, attackers are free to install ransomware or engage in other malicious activities.
Currently, the Akira ransomware has been linked to these attacks. However, with Microsoft Defender rendered ineffective, attackers could execute a wide array of malicious operations. It is crucial to remain vigilant by adhering to the following preventive measures.
Enhancing Windows Security Features
Windows includes security features that can thwart such attacks, even when Microsoft Defender is compromised. To bolster your defenses, search for “Windows Security”in the start menu and activate the following security options that may be disabled by default:
- Controlled Folder Access: This feature protects against ransomware threats even if Defender is offline. Navigate to Virus & threat protection → Manage settings → Manage Controlled folder access and toggle the option to enable it. You can also designate specific folders to offer added protection against ransomware attacks.
- Core Isolation Features: Enabling these features can prevent the installation of vulnerable drivers and block the execution of harmful code. Ensuring these settings are active can significantly enhance your system’s security, potentially stopping BYOVD attacks before they can infiltrate. Go to Device security and access Core isolation details. It is advisable to enable all features here; however, note that activating Memory Integrity may require additional driver adjustments.
Removing Unnecessary Kernel-Level Utilities
Caution is advised when using utility tools that operate at the kernel level, as many utilize the rwdrv.sys driver. When this driver is already present on a system, it simplifies the attackers’ job, as they do not need to install an additional copy. These already-installed drivers have been exploited in recent attacks. If you do not need these utility tools, consider discontinuing their use, particularly those like Throttlestop or RWEverything that install rwdrv.sys.
To check if rwdrv.sys is installed, input “cmd”into Windows Search, right-click Command Prompt, and select Run as administrator. Execute the command where /r C:\ rwdrv.sys to conduct a scan. Should the output indicate the presence of rwdrv.sys, identify and uninstall the application responsible for its installation.
Utilizing Standard User Accounts for Daily Operations
For optimal protection against threats like BYOVD, it is advisable to utilize a standard account for everyday activities rather than an administrator account. This strategy is particularly significant since the attack leverages admin privileges to install or exploit vulnerable drivers.
By operating on a standard account, hackers will struggle to implement elevated changes to the system, preventing the attack from advancing. If an intrusion attempt occurs, you will receive notifications about the action. To establish a new standard account, navigate to Windows Settings, select Accounts → Other users → Add account, and follow the prompts to set up a new account with standard privileges.
Exploring Alternate Antivirus Solutions
This specific attack has been designed to disable Microsoft Defender’s protections; however, it is less effective against third-party antivirus solutions. These applications employ diverse methods for managing their protective functions, making it challenging for attacks like BYOVD to succeed uniformly.
To enhance your security, consider installing a reputable free antivirus program with real-time scanning capabilities, such as Avast or AVG Antivirus.
Security researchers from organizations such as GuidePoint and Kaspersky have already tracked the use of rwdrv.sys in BYOVD-related attacks featuring Akira ransomware and have published indicators of compromise (IoCs).While we hope for forthcoming solutions from Microsoft to address this vulnerability, remain proactive by activating all available Windows security features, particularly the advanced functionalities of Microsoft Defender.
Leave a Reply