Microsoft Confirmed that It Signed a Driver with Rootkit Malware

Share the joy

But the security impact by signing this driver loaded with rootlet malware was only limited, according to Microsoft. 

Code signing is a way to reassure users that the software is safe to use. Unfortunately, Microsoft accidentally signed off a driver that’s loaded with rootkit malware

Netfilter Driver 

Karsten Hahn, a G data malware analyst, first noticed it last week. The infosec community also joined her in tracking the malicious drivers with a Microsoft seal. 

By signing off this driver, it exposed threats to Microsoft’s security. The company’s software is prone to malware. But this time, the weakness originated from the old code-signing process of Microsoft. 

Netfilter is said to communicate with China-based C&C IPs. It provides no legal function, thereby, raising suspicions. 

Han stated that a code running in kernel mode needs to be tested and signed before it will be released publicly to ensure that it functions properly. Without the Microsoft certificate, drivers can’t be installed by default. 

According to Bleeping Computer, Microsoft admitted that it did sign the malicious driver. It’s now investigating the incident. For now, there’s no proof that the code-signing certificates were actually used. 

Microsoft stated: 

“The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware.” 

The threat targeted the gaming sector in China using these malicious drivers. So far, there’s no sign of enterprise environments that have been affected. 

The company is still investigating what happened. It also stated that it would refine its signing process. 

Microsoft doesn’t believe that it is the work of a state-sponsored hacker. 

Ningbo Zhuo Zhi Innovation Network Technology was the driver maker. It used to work with Microsoft to find and patch security holes. Through Windows Update, Microsoft users will obtain clean drivers. 

Fortunately, the rootkit works only for post-exploitation. It means that you need to have admin-level access to a personal computer to install the driver. Thus, it would only pose a threat to your computer if you go out of your way to install it. 

Not a Comforting News

However, this news is not reassuring. 

When you see a signed driver, it’s an indication that the driver is safe to be loaded and installed on your computer. 

With this incident, users might become reluctant to install new drivers because they are worried they might contain malware, even if the driver comes from the official manufacturer. 

The security team of Microsoft continues to work with the OEM and driver publishers to patch vulnerability and update affected devices before shipment. When the driver publisher has patched the vulnerability, an update is released through the Windows Update platform. 

Once the affected devices receive the latest patches, drivers with security vulnerabilities are blocked on Windows 10 devices through Microsoft Defender. 

The impact of this incident might be limited. Nothing catastrophic has happened yet. But users are still anxious because a driver like this has passed Microsoft’s security.

Share the joy

Author: Jane Danes

Jane has a lifelong passion for writing. As a blogger, she loves writing breaking technology news and top headlines about gadgets, content marketing and online entrepreneurship and all things about social media. She also has a slight addiction to pizza and coffee.

Share This Post On