Microsoft signed a driver loaded with rootkit malware

·Associate Editor
·1-min read

Operating system creators offer code signing to help you steer clear of hostile software, but Microsoft may have inadvertently broken the trust that signing is meant to create. BleepingComputer says Microsoft has confirmed that it signed Netfilter, a third-party driver for Windows containing rootkit malware that circulated in the gaming community. It passed through the Windows Hardware Compatibility Program (WHCP) despite connecting to malware command and control servers in China, as security researcher Karsten Hahn found days earlier.

It's not clear how the rootkit made it through Microsoft's certificate signing process, although the company said it was investigating what happened and would be "refining" the signing process, partner access policies and validation. There's no evidence the malware writers stole certificates, and Microsoft didn't believe this was the work of state-sponsored hackers.

The driver maker, Ningbo Zhuo Zhi Innovation Network Technology, was working with Microsoft to study and patch any known security holes, including for affected hardware. Users will get clean drivers through Windows Update.

Microsoft said the rogue driver had a limited impact. It was aimed at gamers, and isn't known to have compromised enterprise users. Also, the rootkit only works "post exploitation," according to Microsoft — you need to have already obtained administrator-level access on a PC to install the driver. Netfilter shouldn't pose a threat unless you go out of your way to load it, in other words.

Even so, the incident isn't entirely comforting. Many people see a signed driver as confirming that a driver or program is safe. Those users might be hesitant to install new drivers in a timely fashion if they're worried there might be malware, even if those drivers come straight from the manufacturer.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting