web analytics
Home » Technology » Microsoft » Mistake: Microsoft Signs A Driver Containing Rootkit Malware

Mistake: Microsoft Signs A Driver Containing Rootkit Malware

rootkit malware

The signing of drivers and applications is generally intended to make updates more secure. However, Microsoft now had to admit that this is not always true and that malware also makes its way through the protective network despite the signature.

You hear more often about malware smuggled into Android or iOS apps, but now Microsoft has been hit particularly hard. Microsoft has now confirmed that it has signed a malicious driver that has been distributed in gaming environments. As a result of this bug, the malware was distributed which, according to initial findings, is connected to a Chinese server.

“Malicious Content” drivers signed by Microsoft

Karsten Hahn, the malware analyst at G Data, drew attention to the problem. A malicious driver with the Microsoft seal was found. This driver, called “Netfilter”, is actually a rootkit that has been observed when communicating with Chinese Command and Control IPs (C2).

This incident has once again exposed threats to the security of the software supply chain, only this time it stemmed from a weakness in Microsoft’s code signing process. Last week, G Data’s cybersecurity warning systems reported something that initially looked like a false positive, but it wasn’t – a driver signed by Microsoft called “Netfilter”. The driver in question did not offer legitimate functionality, so it aroused suspicion. G Data’s malware analyst Karsten Hahn then announced this publicly and contacted Microsoft at the same time:

“Since Windows Vista, every code that runs in kernel mode has to be tested and signed before being released to the public in order to guarantee the stability of the operating system. Drivers without a Microsoft certificate cannot be installed by default,” says Hahn. The researcher analyzed the driver, its self-update functionality, and the so-called “Indicators of Compromise (IOCs)” in a detailed blog post. According to a post in the Microsoft Security Response Center, Microsoft is currently investigating this incident and will provide further information accordingly.