Tech syndicate Microsoft has freshly put forth that they had mistakenly code-signed a Windows driver containing rootkit malware.
Netfilter Driver code-signed by Microsoft:
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.
Operating systems exercise the use of code signing to help users keep well away from malicious software.
Security researcher Karsten Hahn was the first to detect the malicious driver last week.
In what appears to be a complete miss of the agenda of Code signing, Microsoft found that the third party driver called Netfilter, was reportedly communicating with Chinese C2 i.e command-and-control servers.
In the previous week, security experts marked what seemed to be a false positive, but was concluded to be otherwise.
As mentioned before, Netfilter was found to be communicating with Chinese command and control servers. Also, the driver failed to deliver any authentic functionality, thereby arousing further suspicion.
According to Microsoft, this was not an attack that was initiated by state-sponsored hackers.
Details regarding how exactly the malware-ridden driver managed to smuggle itself through the Microsoft certificate signing system are still unclear.
Impact of the malware-ridden driver:
However, Microsoft says that they are currently in the process of investigating said malicious driver and would be taking measures to better enhance the signing process.
Also, there is currently no evidence suggesting that malware was able to steal the tech giant’s certificates.
Microsoft said that the rogue driver had a limited impact and was aimed at gamers. It isn’t known to have compromised any enterprise users.
Microsoft, along with the developer of the driver, Ningbo Zhuo Zhi Innovation Network Technology, are working in coordination to investigate and patch any security fixes that may be applicable, including the impacted hardware.
Users are expected to receive clean, updated drivers through subsequent Windows updates.
Concerned users are bound to bring up queries regarding the malware that has made its way through Microsoft’s signing process, however, the software organization says that a rootkit works only “post-exploitation,” and users need to have had administrator-level access on a PC to install the driver. For Netfilter to actively compromise a system, users will have to go out of their way to load it.