Tweet
Responding to what first appeared to be a false positive, cybersecurity researchers caught hold of a malicious driver that was officially signed by Microsoft.
Karsten Hahn, a malware analyst with security vendor G Data blogged about Microsoftâs faux pas, while sharing his observations about the driverâs malicious activities.
Analysis revealed that the driver, named Netfilter, was in fact a rootkit that redirected traffic to Chinese command and control (C&C) servers.
TechRadar needs you!
Weâre looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey wonât take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
[ul]
[li]Hereâs our choice of the best malware removal software on the market[/li][li]These are the best ransomware protection tools[/li][li]Protect your devices with these best antivirus software[/li][/ul]
âLast week our alert system notified us of a possible false positive because we detected a driver named âNetfilterâ that was signed by MicrosoftâŚIn this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation,â wrote Hahn.
[HEADING=1]Malicious driver[/HEADING]
Hahn explains that, since the launch of Windows Vista, all code that runs in the kernel space needs to be tested and signed by Microsoft. Simply put, any driver that doesnât bear the official seal of approval from Microsoft cannot be installed âby default.â
As per Hahnâs analysis, the Netfilter driver was flagged because it didnât appear to provide any âlegitimate functionalityâ and was exhibiting non-normal behavior by communicating with China-based C&C IPs.
According to Bleeping Computer, Microsoft has confirmed it accidentally signed the malicious driver, which is being distributed within gaming environments.
[HEADING=1]Software supply chain threat[/HEADING]
Hahn states that Microsoft is actively investigating how the driver managed to pass the signing process.
Bleeping Computer adds that the software giant hasnât found evidence that the driver was signed by stolen code-signing certificates. This would seem to suggest the malicious actor got the seal of approval following due process.
This is an even more worrying prospect, as it points to chinks in Microsoftâs driver signing process that might have been exploited to poison the software supply chain, with potential ramifications for businesses of all sizes.
[ul]
[li]Weâve put together a list of the best endpoint protection software[/li][/ul]
Continue readingâŚ
Karsten Hahn, a malware analyst with security vendor G Data blogged about Microsoftâs faux pas, while sharing his observations about the driverâs malicious activities.
Analysis revealed that the driver, named Netfilter, was in fact a rootkit that redirected traffic to Chinese command and control (C&C) servers.
TechRadar needs you!
Weâre looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey wonât take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
Click here to start the survey in a new window <<
[li]Hereâs our choice of the best malware removal software on the market[/li][li]These are the best ransomware protection tools[/li][li]Protect your devices with these best antivirus software[/li][/ul]
âLast week our alert system notified us of a possible false positive because we detected a driver named âNetfilterâ that was signed by MicrosoftâŚIn this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation,â wrote Hahn.
[HEADING=1]Malicious driver[/HEADING]
Hahn explains that, since the launch of Windows Vista, all code that runs in the kernel space needs to be tested and signed by Microsoft. Simply put, any driver that doesnât bear the official seal of approval from Microsoft cannot be installed âby default.â
As per Hahnâs analysis, the Netfilter driver was flagged because it didnât appear to provide any âlegitimate functionalityâ and was exhibiting non-normal behavior by communicating with China-based C&C IPs.
According to Bleeping Computer, Microsoft has confirmed it accidentally signed the malicious driver, which is being distributed within gaming environments.
[HEADING=1]Software supply chain threat[/HEADING]
Hahn states that Microsoft is actively investigating how the driver managed to pass the signing process.
Bleeping Computer adds that the software giant hasnât found evidence that the driver was signed by stolen code-signing certificates. This would seem to suggest the malicious actor got the seal of approval following due process.
This is an even more worrying prospect, as it points to chinks in Microsoftâs driver signing process that might have been exploited to poison the software supply chain, with potential ramifications for businesses of all sizes.
[ul]
[li]Weâve put together a list of the best endpoint protection software[/li][/ul]
Continue readingâŚ