Installing gaming drivers might leave your PC vulnerable to cyberattacks

A PC Gamer sat in front of multiple monitors
(Image credit: Shutterstock)

If you're using cheat programs when playing games on PC, you could be putting your computer at risk as vulnerabilities in signed drivers are most commonly used by game cheat developers to circumvent anti-cheat mechanisms.

However, they have also been observed being used by several advanced persistent threat (APT) groups according to a new report from ESET. The internet security company recently took a deep dive into the types of vulnerabilities that commonly occur in kernel drivers and it even found several vulnerable drivers in popular gaming software at the same time.

Unsigned drivers or those with vulnerabilities can often become an unguarded gateway to Windows' core for malicious actors. While directly loading a malicious, unsigned driver is no longer possible in Windows 11 and Windows 10 and rootkits are considered to be a thing of the past, there are still ways to load malicious code into the Windows' kernel especially by abusing legitimate, signed drivers.

In fact, there are many drivers from hardware and software vendors that offer functionality to fully access the kernel with minimal effort. During its research, ESET found vulnerabilities in AMD's μProf profile software, the popular benchmarking tool Passmark and the system utility PC Analyser. Thankfully though, the developers of all of the affected programs have since released patches to fix these vulnerabilities after ESET contacted them.

Bring Your Own Vulnerable Driver

A common technique used by cybercriminals and threat actors use to run malicious code in the Windows Kernel is known as Bring Your Own Vulnerable Driver (BYOVD). Senior malware researcher at ESET, Peter Kálnai provided further details on this technique in a press release, saying:

“When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so. This technique is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been observed being used in the wild by both high-profile APT actors and in commodity malware.”

Examples of malicious actors using BYOVD include the Slingshot APT group which implemented their main module Cahnadr as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers as well as the InvisiMole APT group which ESET researchers discovered back in 2018. The RobinHood ransomware is yet another example that leverages a vulnerable GIGABYTE motherboard driver to disable driver signature enforcement and install its own malicious driver.

In a lengthy blog post accompanying its press release, ESET explained that virtualization-based security, certificate revocation and driver blocklisting are all useful mitigation techniques for those worried about the dangers posed by signed kernel drivers that have been hijacked by malicious actors.

We've also highlighted the best malware removal software, best endpoint protection software and best antivirus

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
New UEFI Secure Boot flaw exposes systems to bootkits
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A white padlock on a dark digital background.
GitHub is hiding malware disguised as games, legitimate software
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today