Microsoft signed a driver loaded with rootkit malware

Operating system developers offer code signing to help you avoid hostile software, but Microsoft may have inadvertently broken the trust that signing is designed to create. According to BleepingComputer, Microsoft has confirmed that it has signed Netfilter, a third-party driver for Windows that contains rootkit malware that has been circulating in the gaming community. It went through the Windows Hardware Compatibility Program (WHCP) despite connecting to malware command and control servers in China, as security researcher Karsten Hahn noted days earlier.

It is not clear how the rootkit went through Microsoft’s certificate signing process, although the company said it was investigating what happened and “refining” the signing process, partner access policies, and validation. There is no evidence that the malware authors stole certificates, and Microsoft did not believe that it was the work of government-sponsored hackers.

Driver manufacturer Ningbo Zhuo Zhi Innovation Network Technology worked with Microsoft to investigate and fix all known security vulnerabilities, including those for affected hardware. Users can get clean drivers through Windows Update.

Microsoft said the rogue driver had a limited impact. It was aimed at gamers and is not known to have compromised corporate users. In addition, according to Microsoft, the rootkit only works “after it has been exploited” – you must already have administrator access on a PC in order to install the driver. In other words, Netfilter shouldn’t pose a threat unless you do everything possible to load it.

Even so, the incident is not entirely reassuring. Many people see a signed driver as confirmation that a driver or program is safe. These users may be reluctant to install new drivers in a timely manner if they fear that malware is present, even if those drivers are direct from the manufacturer.

All products recommended by Engadget are selected by our editorial team independently of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Leave a Comment