Update Intel’s Rapid Storage App to Fix Bug Letting Malware Evade AV

Intel

A DLL hijacking vulnerability exists in an more mature model of the Intel Quick Storage Technological know-how (Intel RST) program that could let destructive plans to show up as a trusted program and consequently bypass antivirus engines.

DLLs, or dynamic-link libraries, are Microsoft Windows information that other plans load in order to execute numerous functions contained in the DLL library.

When DLL documents are loaded, executables will both specify the full route to the DLL file or just specify the name.

If a full path is employed, these kinds of as c:exampleexample.dll, the DLL will only be loaded from the specified site. On the other hand, if just the DLL identify is offered, these as case in point.dll, the DLL will to start with test to load it from the folder the executable resides in, and if it cannot be found, it will lookup other folders for the DLL and load it from there.

When a DLL is missing from the executable folder, attackers can use this search conduct to perform a DLL hijacking that causes the executable to load a malicious DLL as an alternative.

The Intel Rapid Storage Technology vulnerability

In more mature variations of the Intel Immediate Storage Technologies software package, researchers from SafeBreach have discovered that the IAStorDataMgrSvc.exe executable will try to load four DLLs from the C:System FilesIntelIntel(R) Swift Storage Know-how folder.

The DLLs that IAStorDataMgrSvc.exe attempts to load are:

  • C:Method FilesIntelIntel(R) Swift Storage TechnologyIoctlLog.dll
  • C:Method FilesIntelIntel(R) Swift Storage TechnologyIoctlNet.dll
  • C:Method FilesIntelIntel(R) Immediate Storage TechnologyIoctlSim.dll
  • C:Program FilesIntelIntel(R) Quick Storage TechnologyDriverSim.dll

The dilemma is that these DLLs do not exist as can be seen by the “Title NOT Discovered” success observed in the picture of ProcMon below.

IAStorDataMgrSvc.exe trying to load the four DLLs.
IAStorDataMgrSvc.exe attempting to load the four DLLs.

Recall what we mentioned previously about exploring other folders for lacking DLLs?

As the DLLs do not exist in the same folder as the executable, IAStorDataMgrSvc.exe will try out and load the DLL from other folders on the laptop or computer. 

This allowed the researchers to generate their possess tailor made DLL that would be loaded by IAStorDataMgrSvc.exe when it starts. As the IAStorDataMgrSvc.exe file runs with Method privileges, this DLL is loaded with the very same privileges and primarily has complete obtain to the computer system.

As this distinct vulnerability demands administrative privileges to create the DLL, an attacker would not attain much in conditions of privilege escalation.

SafeBreach researcher Peleg Hadar advised BlepingComputer, even though, that it could be utilized by an attacker to bypass antivirus scanning engines as it will be loaded by the dependable Intel application.

“An attacker can evade the antivirus by operating within just the context of Intel and execute malicious steps. Analyzed, and it will work, quite appealing and handy system,” Hadar informed BleepingComputer in a conversation.

This vulnerability could have been averted if the Intel computer software utilized the WinVerifyTrust function to validate the authenticity of the loaded DLL by checking its digital signature.

According to SafeBreach they reported this vulnerability to Intel on July 22nd, 2019 and launched current versions of the Intel Quick Storage Engineering software package on December 10th that settled this vulnerability.

If you are utilizing variations of the Intel RST application, you should really update the software to the following variations v17.5.1.x, v16.8.3.x, or v15.9.8.x or newer.

Similar Posts