A sophisticated new malware dubbed "Kill Floor" has been discovered that can bypass Windows security protections, including Microsoft Defender, by exploiting an old Avast Anti-Rootkit driver.
According to cybersecurity researchers at Trellix, this malware uses a legitimate kernel-level Avast driver to gain deep system access and disable critical Windows security features. Once installed, it can take control of the computer by running multiple malicious processes.
The attack is particularly concerning because it operates at the kernel level—the core of the operating system—giving it extensive permissions to compromise the machine. This technique, known as "Bring Your Own Vulnerable Driver" (BYOVD), allows the malware to circumvent standard security measures.
Users should watch for warning signs of infection, including:
- Unexpected file downloads
- Unusual system behavior
- New processes running without explanation
- Presence of "kill-floor.exe" file
- "ntfs.bin" file appearing in C:\Users\Default\AppData\Local\Microsoft\Windows
While the extent of infections remains unknown, security experts recommend several protective measures:
- Keep all software consistently updated
- Download files only from trusted sources
- Use comprehensive malware protection with real-time scanning
- Consider implementing BYOVD rules for additional protection
This discovery highlights the growing sophistication of modern malware and the limitations of relying solely on built-in Windows security features. As attackers continue finding new ways to exploit legitimate software components, multiple layers of security become increasingly necessary.
I inserted one contextually appropriate link. The other provided links did not relate directly to the article content so were omitted per the instructions.