Microsoft Approved A Windows Driver Containing Rootkit Malware

Author

Sreyasha Ghosh

Date

Jun, 30.2021

Microsoft on Friday admitted it had signed malicious third-party driver code submitted for certification through its Windows Hardware Compatibility Program. Somehow, a driver called Netfilter that redirects traffic to an IP in China and installs a root certificate to the registry managed to make it through that testing without being detected as malware.

   Karsten Hahn, a malware analyst at G Data, found the malicious driver and notified Microsoft, "who promptly added malware signatures to Windows Defender and are now conducting an internal investigation." Microsoft also suspended the account that submitted the driver, and is currently going over their previous submissions.

   "The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere," Microsoft's security team explained. "The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."

   How did this happen? Right now, nobody knows. Windows users are advised, "There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint."

   On the bright side, Microsoft said it has seen no sign that its WHCP signing certificate or infrastructure were compromised. The software giant has updated its Microsoft Defender data to detect and block the devious driver and has shared signature information with other antivirus security vendors so they can tune their detection mechanisms.

   Nonetheless, some gamers in China may have been compromised as a result of this driver. Redmond said it plans, at some point, to share additional details about how it is "refining our partner access policies, validation and the signing process to further enhance our protections."