According to Ars Technica, Microsoft discovered a bad driver inside certain Huawei MateBook systems. After using new monitoring features added to Windows version 1809 that are monitored by the company’s Microsoft Defender Advanced Threat Protection (ATP) service, Microsoft realized that the driver let unprivileged users create processes with superuser privileges.
Huwai fixed the driver, publishing the safe version in early January. If you’re using a Huwai system, you’re fine as long as you have either updated everything or removed the built-in applications entirely.
Microsoft Defender ATP relies on both signature-based endpoint antimalware to detect known threats and heuristics to find behavior that appears suspicious whether or not particular malware has been identified.
Windows 10 version 1809 is designed to detect DOUBLEPULSAR-like backdoors. DOUBLEPULSAR is a backdoor implant tool developed by the U.S. National Security Agency (NSA) that was used to infect 200,000 Microsoft Windows computers in only a few weeks in 2017. The tool allows people to compromise kernel driver to run code in user mode by copying code into the memory of an already-running privileged process and directing the system to perform that code by sending an asynchronous procedure call (APC) to the process.
APCs are typically used internally by the operating system for certain I/O operations and allow users to temporarily switch a thread to run a different function. Windows uses a system in which the read or write operation can start without waiting because it uses an APC to indicate that the read or write has finished.
“Further investigation revealed that on this particular occasion, it wasn’t malware that was injecting and running code in a user process; it was a Huawei-written driver. Huawei’s driver was supposed to act as a kind of watchdog: it monitored a regular user mode service that’s part of the PCManager software, and if that service should crash or stop running, the driver would restart it,” writes Ars Technica. “To perform that restart, the driver injected code into a privileged Windows process and then ran that code using an APC—a technique lifted straight from malware.”