Responding to what first appeared to be a false positive, cybersecurity (opens in new tab) researchers caught hold of a malicious driver that was officially signed by Microsoft.
Karsten Hahn, a malware (opens in new tab) analyst with security vendor G Data (opens in new tab) blogged about Microsoft’s faux pas, while sharing his observations (opens in new tab) about the driver’s malicious activities.
Analysis revealed that the driver, named Netfilter, was in fact a rootkit that redirected traffic to Chinese command and control (C&C) servers.
- Here's our choice of the best malware removal (opens in new tab) software on the market
- These are the best ransomware protection tools (opens in new tab)
- Protect your devices with these best antivirus software (opens in new tab)
“Last week our alert system notified us of a possible false positive because we detected a driver named 'Netfilter' that was signed by Microsoft…In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender (opens in new tab) and are now conducting an internal investigation,” wrote Hahn.
Malicious driver
Hahn explains that, since the launch of Windows Vista, all code that runs in the kernel space needs to be tested and signed by Microsoft. Simply put, any driver that doesn’t bear the official seal of approval from Microsoft cannot be installed “by default.”
As per Hahn’s analysis, the Netfilter driver was flagged because it didn’t appear to provide any “legitimate functionality” and was exhibiting non-normal behavior by communicating with China-based C&C IPs.
According to Bleeping Computer (opens in new tab), Microsoft has confirmed it accidentally signed the malicious driver, which is being distributed within gaming environments.
Software supply chain threat
Hahn states that Microsoft is actively investigating how the driver managed to pass the signing process.
Bleeping Computer adds that the software giant hasn’t found evidence that the driver was signed by stolen code-signing certificates. This would seem to suggest the malicious actor got the seal of approval following due process.
This is an even more worrying prospect, as it points to chinks in Microsoft’s driver signing process that might have been exploited to poison the software supply chain, with potential ramifications for businesses of all sizes.
- We've put together a list of the best endpoint protection (opens in new tab) software