Malicious software from China passed Microsoft’s certification process
1 min read 28 Jun 2021, 02:21 PM ISTMicrosoft certified a piece of driver software called Netfilter, which contained a rootkit connecting to servers in China.We have suspended the account and reviewed their submissions for additional signs of malware, the tech giant said, confirming its mistake.
PremiumSecurity researcher Karsten Hahn has found that Microsoft certified a piece of driver software called Netfilter, which contained a rootkit connecting to servers in China. “Microsoft is investigating a malicious actor distributing drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Programme. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware," Microsoft said, confirming the mistake.
Since driver software act as an interface between the operating system (OS) and various hardware devices, they have unprecedented access to a computer system. As a result, malicious code built into such software is a serious security threat to enterprises and users. Microsoft, like most other operating system (OS) makers, issues security certificates for driver software meant for its platform. Such software is required to run various kinds of hardware with Windows.
Rootkit malware are software that allow attackers to gain unauthorized access and control of devices. Manufacturers have to get their driver software certified by the tech giant through the Windows Hardware Compatibility Programme (WHCP). The certificate is essentially a stamp of approval, which tells the user that the driver software can be trusted.
Microsoft said that it had seen no evidence that the infrastructure behind its WHCP signing certificate has been compromised. It also said that the threat actor’s activity was limited to the gaming sector and specifically in China. It did not target enterprise users. “The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers," the company said in a blog post.
The Windows maker is working with third parties to provide a patch for the malware, and said it would ship the update as soon as the publisher issues the patch. Windows Defender, which is Windows’ built-in security tool, will also block the affected versions of the driver in order to stop users from downloading more copies of it.
