Microsoft Confirms it Signed Malicious ‘Netfilter’ Drivers

Microsoft Confirms it Signed Malicious 'Netfilter' Drivers
Microsoft Confirms it Signed Malicious ‘Netfilter’ Drivers

Microsoft says the Netfilter drivers used to distribute rootkit malware have been signed as a phase of the Windows Hardware Compatibility Program.

Microsoft confirmed(Opens in a new window) that it gave its seal of approval to Netfilter, a malicious driver used to distribute rootkit malware, as a phase of its Windows Hardware Compatibility Program (WHCP).

BleepingComputer reported(Opens in a new window) that Netfilter used to be publicly disclosed(Opens in a new window) via G Data researcher Karsten Hahn on June 17. The Microsoft Security Response Center formally identified the trouble on June 25; Hahn offered(Opens in a new window) extra records about how the malware functioned that identical day.

“Since Windows Vista, any code that runs in kernel mode is required to be examined and signed earlier than public launch to make certain steadiness for the working system,” Hahn stated in the follow-up weblog post. “Drivers expect a Microsoft certificate can’t be hooked up with the aid of default.”

That’s why attackers on occasion strive to compromise the WHCP signing certificate. It’s an awful lot simpler to distribute malware that seems to have been signed through Microsoft. In this case, however, Microsoft stated the Netfilter driver used to be legitimately signed as the phase of the WHCP.

BleepingComputer characterized this mistake as a “supply-chain fiasco” due to the fact it confirmed even rootkit malware can acquire Microsoft’s approval through the WHCP. What’s the factor of blockading drivers that aren’t signed via Microsoft if even formally sanctioned drivers can be malicious?

The corporation additionally stated “the actor’s pastime is restricted to the gaming area in particular in China” and that “the malware permits them to obtain a benefit in video games and maybe make the most different gamers by means of compromising their bills thru frequent equipment like keyloggers.”

Microsoft stated it has suspended the account of an unidentified 0.33 birthday celebration who constructed the Netfilter driver, blocked the driver by way of Microsoft Defender for Endpoint, and shared data “with different AV safety companies so they can proactively installation detections” to their products.

Instructions for figuring out if a machine has been affected with the aid of Netfilter can be located in Microsoft’s weblog post. The agency stated it “will be sharing a replace on how we are refining our associate get admission to policies, validation and the signing procedure to in addition beautify our protections” in mild of this incident, however, didn’t say when precisely it plans to share that information.


Related Posts