When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

RedDriver never BSOD'd, perhaps a thing even AMD, Nvidia, Microsoft, or Intel can't brag

A reddish brown screen with something happened text

Cisco Talos, among others, was one of the security firms to inform Microsoft about several drivers that were using illegitimate driver certifications. The tech giant acknowledged the issue and suspended all such accounts that were misusing the trust of a WHQL-signed driver.

Cisco also published separately its finding on a RedDriver malware which was using Microsoft's own Windows Filtering Platform (WFP) as it was a browser-hijacker driver using utilities like the HookSignTool to forge signatures. For those unaware, WFP is Windows' network traffic processing platform that succeeded the one in Windows XP and Windows Server 2003.

The Cisco malware analysts were quite impressed with RedDriver's stability, acknowledging the skill required to design it. In the section "RedDriver authors are skilled at driver development", the firm thoroughly praises the competence of the driver's development team as it was apparent how good it was as the security firm did not once encounter a BSOD (blue screen of death) during its analysis of the driver. It writes:

RedDriver was likely developed by highly skilled threat actors as the learning curve for developing malicious drivers is steep. Writing Windows drivers requires a very specific skill set and deep knowledge of the Windows operating system. For example, drivers are highly prone to crashing. However, during our analysis, we did not encounter any crashes or “blue screens of death” (BSOD), which speaks to the authors’ skill. An incorrectly written driver can cause damage to or crash a system even if no malicious intent is present.

While we do not know the intensity or the stressfulness of the test the driver underwent, RedDriver devs might even be able to somewhat brag that the likes of AMD, Nvidia, Intel, or even Microsoft itself, may fail to create such drivers. Jokes aside, one thing that is clear is that Cisco, which has probably analyzed multitudes of such malicious drivers, believes RedDriver is one of the most skillfully crafted ones out there.

Aside from the stability aspect, in general, too, Cisco praises the authors of the RedDriver malware driver noting that integration with WFP is not an easy task, and also acknowledged that the threat actors used sophisticated automation tools like Jenkins:

Furthermore, WFP is a complex platform to implement and generally requires significant driver development experience to fully understand it.

The authors also demonstrated a familiarity or experience with software development lifecycles, another skill set that requires previous development experience. For example, while developing the infection chain, the authors used Jenkins, a tool commonly used by software developers to automate the development, building and testing of software.

Another indicator of the development experience of the authors is the use of specific sections of open-source tools. Rather than using the entire codebase of these tools, the authors of RedDriver borrow and integrate sections of the source code in different stages of the infection chain.

You can find more technical details about RedDriver in Cisco's blog post.

Report a problem with article
Red Windows 10 wallpaper indicating bugs
Next Article

Windows 10 22H2 Release Preview Channel Build 19045.3269 is now available

Windows 11 Insider Preview
Previous Article

Windows 11 Insider Beta Builds 22621.2048 and 22631.2048 adds Gallery in File Explorer

Join the conversation!

Login or Sign Up to read and post a comment.

6 Comments - Add comment