viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Microsoft digitally signs malicious rootkit driver
Technology

Microsoft digitally signs malicious rootkit driver

29/06/2021

Stock photo of a virus alert on a laptop screen.

Microsoft gave its digital imprimatur to a rootkit that decrypted encrypted communications and sent them to attacker-controlled servers, the company and outside researchers said.

The blunder allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps. For the past 13 years, Microsoft has required third-party drivers and other code that runs in the Windows kernel to be tested and digitally signed by the OS maker to ensure stability and security. Without a Microsoft certificate, these types of programs can’t be installed by default.

Eavesdropping on SSL connections

Earlier this month, Karsten Hahn, a researcher at security firm G Data, found that his company’s malware detection system flagged a driver named Netfilter. He initially thought the detection was a false positive because Microsoft had digitally signed Netfilter under the company’s Windows Hardware Compatibility Program.

After further testing, Hahn determined that the detection wasn’t a false positive. He and fellow researchers decided to figure out precisely what the malware does.

“The core functionality seems to be eavesdropping on SSL connections,” reverse engineer Johann Aydinbas wrote on Twitter. “In addition to the IP redirecting component, it also installs (and protects) a root certificate to the registry.”

Spent some more time analyzing the Chinese netfilter driver discovered by @struppigel:

The core functionality seems to be eavesdropping on SSL connections. In addition to the IP redirecting component, it also installs (and protects) a root certificate to the registry.

— Johann Aydinbas (@jaydinbas) June 19, 2021

A rootkit is a type of malware that is written in a way that prevents it from being viewed in file directories, task monitors, and other standard OS functions. A root certificate is used to authenticate traffic sent through connections protected by the Transport Layer Security protocol, which encrypts data in transit and ensures the server to which a user is connected is genuine and not an imposter. Normally, TLS certificates are issued by a Windows-trusted certificate authority (or CA). By installing a root certificate in Windows itself, hackers can bypass the CA requirement.

Advertisement

Microsoft’s digital signature, along with the root certificate the malware installed, gave the malware stealth and the ability to send decrypted TLS traffic to hxxp://110.42.4.180:2081/s.

Serious security lapse

In a brief post from Friday, Microsoft wrote, “Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware.”

The post said that Microsoft has found no evidence that either its signing certificate for the Windows Hardware Compatibility Program or its WHCP signing infrastructure had been compromised. The company has since added Netfilter detections to the Windows Defender AV engine built into Windows and provided the detections to other AV providers. The company also suspended the account that submitted Netfilter and reviewed previous submissions for signs of additional malware.

Microsoft added:

The actor’s activity is limited to the gaming sector, specifically in China, and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.

It’s important to understand that the techniques used in this attack occur post-exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.

Despite the limitations the post noted, the lapse is serious. Microsoft’s certification program is designed to block precisely the kind of attack G Data first discovered. Microsoft has yet to say how it came to digitally sign the malware. Company representatives declined to provide an explanation.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

SoFi founder Mike Cagney’s already well-funded new startup is raising another $100 million – TechCrunch
Figure Technologies, a nearly two-year-old, San Francisco-based fintech cofounded by …

SoFi founder Mike Cagney’s already well-funded new startup is raising another $100 million – TechCrunch

Intellivision takes more than 10,000 VIP edition preorders for Amico console in a few days
Intellivision Entertainment‘s Amico retro video game console is proving popular …

Intellivision takes more than 10,000 VIP edition preorders for Amico console in a few days

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • NYU study: Facebook’s content moderation efforts are ‘grossly inadequate’
    Civil rights groups urge companies to suspend …
    18/06/2020
  • Nacon’s Beniot Clerc: Becoming a double-A gaming force
    Nacon’s Beniot Clerc: Becoming a double-A gaming …
    01/03/2020
  • PlayStation 5 gets Godfall looter-slasher from Gearbox Publishing
    SoftBank-backed Oyo cuts salaries, furloughs employees
    22/04/2020
  • Yahoo Answers to end as Trump fans see plot to “silence conservatives”
    Yahoo Answers to end as Trump fans …
    06/04/2021
  • New Iranian wiper discovered in attacks on Middle Eastern companies
    New Iranian wiper discovered in attacks on …
    04/12/2019

Popular Posts

  • 10 Real Historical Events That Inspired ‘Game …
    22/05/2022 0
  • Top 10 Most Singular Encounters with Unidentified …
    24/04/2022 0
  • 10 Creepy Apocalyptical Predictions – Listverse
    25/04/2022 0
  • 10 Meetings That Shaped History – Listverse
    25/04/2022 0
  • The first “Meta Store” is opening in California in May
    The first “Meta Store” is opening in …
    25/04/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh