Published: July 7, 2021
Tech Giant Microsoft has recently signed a third-party driver containing rootkit malware, Netfilter. The driver was detected communicating with command and control servers in China. Despite this, it somehow passed Microsoft’s Windows Hardware Compatibility Program (WHCP).
Creators of operating systems, including Microsoft, use code signing to confirm the software author and ensure that no user has altered or corrupted the code. Essentially, it’s to help users avoid malicious software. Once signed, the driver software gains full access to act as a gateway between the OS and hardware devices.
Hence, Microsoft’s approval of Netfilter might pose a massive threat to the security of users of this OS. It is unclear how the said driver bearing the rootkit malware made it through Microsoft’s coding signing and certification process. The only precise information so far is that it only circulated in the gaming community.
Security researcher Karsten Hahn initially flagged the driver as a false-positive but proved later on that it wasn’t. Following this event, Microsoft has confirmed the mistake and immediately suspended the account associated with the driver.
They have since been investigating the incident, hoping this will help them further refine the process of certification. According to its latest statement, there is no evidence that the malware developers actually stole the certificates.
It also did not target enterprise users or any other users outside China. According to Microsoft, gamers use the said malware to gain an advantage over other players and for geo-location spoofing, and it only works after a player account has already been compromised.
The malware is inactive unless installed on a PC by threat actors with administrator-level privileges or by the end-users themselves. Microsoft confirms that Netfilter doesn’t pose any significant threats because of these reasons.
But to resolve the issue, Microsoft keeps working on investigating and patching all known security threats. The company confirmed that users would get clean drivers through Windows Update. Following this incident, the tech giant assures the public that there’s only minimal impact and that malware only targets gamers in China.