[Cryptography] Is "drivers for foo" a major malware vector?
Christian Huitema
huitema at huitema.net
Mon Apr 18 19:26:24 EDT 2016
On Monday, April 18, 2016 4:14 PM, Ray Dillinger wrote:
>
> I don't know how I can be any clearer about this. What is the cognitive barrier
> that is making the actual issue here go straight past people?! Okay one more
> time for people who aren't paying
> attention:
>
> I was not looking for a device driver.
> ...
Yeah, I knew all that.
> What I'm asking -- the real issue here -- is why nobody has been saying
> anything at all about this enormous malware vector operating right out in the
> open?! There are literally
> *hundreds* of sites out there brazenly offering downloads of software they do
> not have - which they cannot possibly have, because there is no such software!
That's the whole point of building a "golden path" for getting drivers through Windows Updates. So that users won't have to web through the dark corners of the Internet to get crazy drivers. Positive message: "do this and you will be OK." That tends to work better than negative warnings.
Also, requiring signature of driver files, which provides some traces. But then, we can get into the whole PKI argument again...
> There is something which they are pretending is software that some people will
> want. They have SOMETHING they want people to download and install. With
> admin privilege, of course!
I have not heard of such driver uploads causing big problems in practice. There may be lots of bait out there, but not very many phishes.
> It buggers my imagination that all of these hundreds of sites, operating openly
> and with brazenly transparent lies, are representatives of an entire industry
> spreading malware and that NOBODY SO FAR HAS SAID ANYTHING ABOUT
> THEM!
You should check the state of freeware downloads, bundling with the likes of Superfish. That's a much bigger problem that drivers.
-- Christian Huitema
More information about the cryptography
mailing list