The signature requirement for drivers prohibits suspicious software as support. But if a pest crept in, it has a trust bonus.
e Since Windows Vista, Microsoft has required a digital signature in all programs that act as device drivers in Windows. The mere fact that this process involves effort and costs usually prevents hobbyists from providing themselves potentially unsafe drivers for the devices. Even criminals shy away from the formal certification process or fail. But like security researchers Karsten Han
Reported by G Data, a device driver signed by Microsoft has recently appeared and contains nothing but malware.
Rootkit disguised as a driver
As Hahn explains in his report, G-Data Protection has reported a suspicious driver called “Netfilter.” Since it was signed by Microsoft, the researcher initially assumed a false alarm. But then he noticed that the supposed driver runs with encoded strings, which is unusual for a device driver. Another analysis finally revealed it to be a rootkit, a malware that goes deep into the system and thus hides it from security software. As it turned out, the primary function of “Netfilter” is to redirect traffic to a Chinese server. The malware connects to a server to get commands and is able to update itself. According to Han, it is unclear how the driver managed to slip through the signing process.
Microsoft’s reaction was quick and calm
According to Han, Microsoft quickly responded to his report and added “Netfilter” to Microsoft Defender’s list of known threats. at Opinion
Microsoft claims to have blocked the manufacturer’s account that was used to sign the driver. Microsoft has shared extensive information with other antivirus manufacturers about the faulty driver. The group does not explain how incorrect signature can occur. Instead, Microsoft downplays the incident: the attack targets the gaming sector only in China. The goal of the fake driver is to hide the attacker’s location, enable him to play from anywhere, gain an in-game advantage and possibly hack other players’ user accounts with the help of keyboard spies. To install the driver, attackers will either have to have administrator access to the victim’s computer or convince the victim to help. Microsoft confirms that the signing process itself has not been compromised and that they are working hard on Windows security.