Driver including rootkit malware signed by Microsoft

[realpetertdm]

 

Quote

Microsoft tests drivers before assigning them a digital certificate that approves them to be installed by default. Somehow, a driver called Netfilter that redirects traffic to an IP in China and installs a root certificate to the registry managed to make it through that testing without being detected as malware.

 

Karsten Hahn, a malware analyst at G Data, found the malicious driver and notified Microsoft, "who promptly added malware signatures to Windows Defender and are now conducting an internal investigation." Microsoft also suspended the account that submitted the driver, and is currently going over their previous submissions.

 

Microsoft's security response center team described the malware's activity as "limited to the gaming sector specifically in China" and explained its purpose: "The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."

 

How did this happen? Right now, nobody knows. Windows users are advised, "There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint."

Source: https://www.pcgamer.com/a-driver-containing-rootkit-malware-was-certified-by-microsoft/

 

 

If you're looking for a more detailed explanation, read this article from Bleeping Computer:

https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/

 

 

TLDR

- A driver called "netfiller" was signed by Microsoft

- Said driver was communicating with China based C&C IPs that provided no legitimate functionality

- Microsoft is currently investigating this situation

- Microsoft has suspendes the account of the actor

- Microsoft recommends no additional action as of right now

 

 

Yeah... this doesn't sound good. Not at all. Rootkits and malware have always been around, but the fact that it's included in a driver signed by Microsoft is somewhat concerning. 

 

[Quackers101]

does this come as DLC for windows? thanks!

Gotta have them all.

[StDragon]

The fact it was signed is the bigger issue here. What else was signed that shouldn't have been?!

[LAwLz]

This is not good news for Microsoft right now... 

[bcredeur97]

what was this driver distributed with? is it part of another software package we should all be aware of? 

[xAcid9]

See? This is why we need TPM2.0!  /s

14 hours ago, bcredeur97 said:

what was this driver distributed with? is it part of another software package we should all be aware of? 

I'm curious as well, is it part of a game installer or something? like Valorant?

[Vishera]

1 hour ago, realpetertdm said:

"There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint."

In other words - "We think we know better than our customers so use Windows Defender,They stupid so we do everything for them,the customer can't think for itself."

Also the shameless promotion of Windows Defender...

 

~insert random swear word here~ you too Microsoft.

[StDragon]

49 minutes ago, Vishera said:

In other words - "We think we know better than our customers so use Windows Defender,They stupid so we do everything for them,the customer can't think for itself."

Also the shameless promotion of Windows Defender...

 

~insert random swear word here~ you too Microsoft.

Right, but about the signed driver.. Is simply blocking it at the AV level enough, or will they have to issue a revocation against the original vendor that signed the driver?

[ouroesa]

9 hours ago, StDragon said:

The fact it was signed is the bigger issue here. What else was signed that shouldn't have been?!

That's pretty much the entire issue. 

[TempestCatto]

Yeah yeah, we already know about Windows 11. I'm going back to DOS, fuck this shit.

[WhitetailAni]

3 minutes ago, TempestCatto said:

I'm going back to DOS, fuck this shit.

DOS is way too new. BASIC might be malware-impervious though.

[ImAlsoRan]

3 hours ago, TempestCatto said:

I'm going back to DOS, fuck this shit.

Let's just go back to OS/360.

[Doobeedoo]

They know what's good for ya, so, signed!

 

I mean really, they need to get this together.

[Mark Kaine]

On 6/28/2021 at 5:49 PM, StDragon said:

The fact it was signed is the bigger issue here. What else was signed that shouldn't have been?!

 

 

yeah… i mean… yeah…  doesnt help that half of windows "legitimate" processes apparently  are named like malware because the "team" somehow thought thats funny…

 

 

security through obscurity only works if you know what youre doing, which in Microsoft's case is - highly - questionable.

 

 

 

[StDragon]

2 minutes ago, Mark Kaine said:

yeah… i mean… yeah…  doesnt help that half of windows "legitimate" processes apparently  are named like malware because the "team" somehow thought thats funny…

 

security through obscurity only works if you know what youre doing, which in Microsoft's case is - highly - questionable.

Drivers talk to the kernel. So if you use a driver that's been signed (trusted) and pass malware through it, that ostensibly could root the box depending on the function.

 

With regards to services, those are just programs that run at startup or upon demand without having to be logged into a computer as "user".

 

Run MSCONFIG, then select the "Services" tab. From there, you can put a checkmark in the box next to "Hide all Microsoft services". There's your list of 3rd party entries (Google Update Service, Adobe Acrobat Update Service, NVIDIA, VMWare..etc, stuff like that)

[jagdtigger]

16 minutes ago, Mark Kaine said:

security through obscurity only never works

FIFY...

[Mark Kaine]

6 minutes ago, StDragon said:

Drivers talk to the kernel. So if you use a driver that's been signed (trusted) and pass malware through it, that ostensibly could root the box depending on the function.

 

With regards to services, those are just programs that run at startup or upon demand without having to be logged into a computer as "user".

 

Run MSCONFIG, then select the "Services" tab. From there, you can put a checkmark in the box next to "Hide all Microsoft services". There's your list of 3rd party entries (Google Update Service, Adobe Acrobat Update Service, NVIDIA, VMWare..etc, stuff like that)

to me its more of an issue that through this "obscurity"  (they really made some stuff random, like these host processes, with random numbers) make it easier for malware to camouflage as "system processes" . i sometimes go to file location to check if its in sys32 folder, but that is really tedious, esp because  some stuff keeps renaming itself (as mentioned)

 

btw, lol thats funny, this is literally it.  is that normal, i somehow  expected more none Microsoft stuff?

 

[ramava]

20 minutes ago, Mark Kaine said:

btw, lol thats funny, this is literally it.  is that normal, i somehow  expected more none Microsoft stuff?

Uncheck the box at the bottom. It's hiding everything Microsoft.

[tikker]

24 minutes ago, Mark Kaine said:

to me its more of an issue that through this "obscurity"  (they really made some stuff random, like these host processes, with random numbers) make it easier for malware to camouflage as "system processes" . i sometimes go to file location to check if its in sys32 folder, but that is really tedious, esp because  some stuff keeps renaming itself (as mentioned)

 

btw, lol thats funny, this is literally it.  is that normal, i somehow  expected more none Microsoft stuff?

 

Few more from me, but they're Intel and game launchers so nothing shocking either sadly.

3 minutes ago, ramava said:

Uncheck the box at the bottom. It's hiding everything Microsoft.

They expected more non Microsoft services

[soldier_ph]

Big Brother Winnie the pooh is watching you !

 

/s

[Mark Kaine]

14 minutes ago, tikker said:

Few more from me, but they're Intel and game launchers so nothing shocking either sadly.

its just weird to me what constitutes as service and what doesnt… i suppose  disabled services dont show up there?  i mean i dont see whats different between Amd "crash defender" , "macrium" and "corsair link" except the former are both disabled…

[StDragon]

7 minutes ago, Mark Kaine said:

its just weird to me what constitutes as service and what doesnt… i suppose  disabled services dont show up there?  i mean i dont see whats different between Amd "crash defender" , "macrium" and "corsair link" except the former are both disabled…

I already told you. A service is just another application that runs as the system, but not specifically initiated by a user account within Windows.

 

Services and drivers are different things. A driver is used by an application or API to talk directly to hardware. A driver isn't a service, but a service can run a program that talks to the driver.

You can read up on what Services are in the following link.

https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications

[CarlBar]

29 minutes ago, Mark Kaine said:

its just weird to me what constitutes as service and what doesnt… i suppose  disabled services dont show up there?  i mean i dont see whats different between Amd "crash defender" , "macrium" and "corsair link" except the former are both disabled…

 

You know how some programs will ask if you want them to run at startup? If you select yes they get added as a service, thats all a service is, a program that runs, (usually invisibly), at startup.

[Radium_Angel]

7 minutes ago, CarlBar said:

 

You know how some programs will ask if you want them to run at startup? If you select yes they get added as a service, thats all a service is, a program that runs, (usually invisibly), at startup.

That's not entirely accurate.

A service loads during kernel loading and booting, a startup typically resides in the registry, and runs when that section of the registry is accessed at bootup.

A subtle, but distinct difference.

 

[CarlBar]

4 minutes ago, Radium_Angel said:

That's not entirely accurate.

A service loads during kernel loading and booting, a startup typically resides in the registry, and runs when that section of the registry is accessed at bootup.

A subtle, but distinct difference.

 

Yes but i've noticed a lot today will add themselves as a service so it still provides a solid handle to grasp the concept by. They're clearly allready confused, i was trying not to confuse them more while thy got their head around the issue.