Vulnerable Drivers – An Unseen Part of the Gaming Security Ecosystem

Gamers face tailored online security threats. These threats are intended to manipulate players via social engineering to engage in behavior that leads to compromising their personal information, gaming account takeovers and even theft of their in-game items and IRL money.

Gamer security threats materialize in different ways. One involves players, cybercriminals, and legitimate but flawed software. In this case, the software flaw comes in the form of a vulnerable device driver within an operating system such as Microsoft Windows.

Here’s how the security threat unfolds, starting with the gamer mindset.

One thing leads to another

To gain an edge over other players, such as better aiming in player-vs-player first-person shooting games, gamers seek out software cheats that modify gaming behavior. These cheats bestow powers the game developers didn’t intend for users to possess. Unfortunately, these cheats often contain malware that infects the would-be cheater’s computer.

Gamers also seek out ways to use software without paying for it. These are sometimes known as cracks. One of these techniques remove licensing from software or promise to provide valid license keys — also known as key generates or keygens — for commercial software.

Here, too, gamers are manipulated into risky behavior they might otherwise avoid. While keygens may contain malware, gamers using cracks that promise to install a version of a game without licensing may find themselves installing vulnerable programs or software that exploits existing vulnerable software already installed.

An entire ecosystem exists to create, market, and exploit malicious software cracks, as previously described in our research examining gaming cracks and cheats. And while it might be understandable that some seek to use software they haven’t paid for, it is particularly interesting that people engage in such risky behavior with security software. The very same security software they plan to rely on to protect themselves from malware.

It is also worth noting a dramatic increase in gaming collaboration platform misuse, such as Discord , where these channels are conveyed to spread different kinds of malware. On the same note, but probably more worrisome, is a recent discovery by Activision  about a maliciously backdoored Call of Duty version camouflaged as a cheat software and offered on various online gamer forums.

The role of vulnerable drivers in gamer security threats

Installing or exploiting vulnerable software is leveraged both by cheats and independent malware. This vulnerable software is often in the form of a device driver within an operating system such as Microsoft Windows.

Windows drivers are installed on a regular basis by gamers to let their specialized hardware communicate with the operating system. However, some of these certified and trusted drivers are shipped with vulnerabilities that can pose an unwanted and often overlooked risk to the user.

In some cases, threat actors can compromise the user’s device by taking advantage of these software flaws.

Drivers function in-between two worlds

From a bird’s-eye view, a driver is a software that abstracts operating system interactions with hardware. Some drivers communicate directly with devices, while others communicate only with other drivers to facilitate the interface between an operating system and a device.

Drivers enable developers to deliberately ignore any nitty-gritty details about the hardware internals and, thus, build applications independently. To function, drivers execute with more powers and privileges compared with regular user applications.

To function efficiently, operating systems typically run in a two-level hierarchical model. The first and more powerful is called “kernel mode,” where all the critical decisions are made, and security is enforced. The second, a less privileged one, is called “user mode,” where the user’s applications and data reside and roam freely without worrying about disrupting the system.

You may have already guessed that, given its role, a driver runs in kernel mode, hence its importance and powers.

Hopefully it is now becoming clear why a driver’s integrity is so crucial, as any unintended behavior within a driver could compromise an operating system.

Yet, how is it possible that privileged code can be misused to a point where a legitimate software can be leveraged as a Trojan horse?

Keeping driver vulnerabilities at bay

Like any other software, device drivers are susceptible to diverse types of bugs, and memory corruption bugs are no exception. Often, these bugs can lead to a shift from the behavior originally intended by the developer who wrote the code. Although some bugs lead to only a system crash, others can be deftly controlled to hijack a program’s control flow and eventually be weaponized by an attacker.

Whenever a bug can be exploited, it can be promoted as a vulnerability, but not all vulnerabilities are equal: Some of them may cause a denial of service, while the most critical ones lead to remote code execution, allowing an attacker to control a victim machine remotely over the internet.

Aside from edge-cases, a typical driver vulnerability can give an attacker privilege escalation capabilities — that is, the chance to obtain administrator rights from an unprivileged account without any knowledge of an administrator’s credentials.

Should I trust that code? A brief history of signed drivers

Beginning with Windows 10 version 1607 released in August 2016 (also known as Anniversary Update), only signed drivers through the Windows Hardware Quality Labs (WHQL) certification process are allowed to be loaded. As a consequence, bluntly malicious drivers are blocked before reaching a bigger audience. This means that each driver running within a Windows 10 version 1607 (or greater) system is signed by a certificate authority (CA) in a manner similar to the way web server certificates are signed and trusted by a web browser when accessing a website via HTTPS.

Nevertheless, software bugs continue to occur as a natural consequence of coding mistakes.

The good news is that a signed driver that is designated as harmful will have its certificate revoked and the operating system will cease loading it (once updated).

As effective as this might appear, this scheme is not without problems. Due to compatibility requirements, the mitigation described above is not enforced on any driver signed prior to July 2016, which paves the way toward privilege escalation through software bugs in a trusted piece of software. 

Gaming Community vs. Threat Actors

Among those drivers signed prior to July 2016, a couple have been in the spotlight for giving away the keys of the kernel kingdom. The Capcom  driver has been in the news for allowing any third-party application the opportunity to disable one of the attack-mitigation technologies within Windows 10. Meanwhile, a driver from Bandai Namco  also has been employed by various malware to escalate privileges in similar fashion.

While the vendors Capcom and Bandai Namco acted responsibly and long ago released patched drivers, it is still possible to get copies of the original, vulnerable drivers which are subsequently embedded in another program to evade first-line detections. These kinds of vulnerable drivers are widely adopted within the gaming community  to gain raw power over games to be able to unleash an entire arsenal of cheats.

Conclusion

Vulnerable drivers are particularly dangerous because they run in a privileged context, bypassing many security controls within an operating system. They may even lead to an attack initiating from an unprivileged account leading to administrator privileges.

Although vulnerable drivers might offer a cheating shortcut to many gamers, they are also exposing the users to unnecessary risks. We therefore recommend downloading and installing only the latest versions of drivers from known and trusted sources. As we witness these trends in our telemetry data, our observations lead to research that improves protections for all Norton customers.

Innovations from Norton Labs are for research, evaluation, and consumer feedback purposes. NortonLifeLock does not give any warranties as to the suitability or usability of these prototypes and recommends safeguarding data and reviewing all terms and conditions before use.

Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries.