We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

After Approving Rootkit Malware, Microsoft Will Refine Code Signing Process

Microsoft logo at the company's office building located in Silicon Valley south San Francisco bay area
Sundry Photography/Shutterstock.com

Microsoft signed off on a driver that contains rootkit malware. Despite having processes and checkpoints—like code signing and the Windows Hardware Compatibility Program (WHCP)—in place to prevent such events from happening, the driver still managed to pass through.

The third-party Windows driver, Netfilter, was observed communicating with Chinese command-and-control IPs. Netfilter was distributed within the gaming community. It was first detected by G Data malware analyst Karsten Hahn (and soon further vetted by the infosec community at large and Bleeping Computer), who immediately shared notice of the breach on Twitter and notified Microsoft.

Though Microsoft has confirmed that it did, indeed, sign off on the driver, there is no clear information yet regarding how the driver made it through the company’s certificate-signing process. Microsoft is currently investigating and said it “will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections.”

Currently, there is no evidence that the malware writers stole certificates, or that the activity can be attributed to a nation-state actor. Microsoft also noted that the malware has had a limited impact, taking aim at gamers and not enterprise users. “We have suspended the account and reviewed their submissions for additional signs of malware,” Microsoft shared in a blog update.

Despite the malware seeming to have little to no impact, and Microsoft eagerly working to resolve the issue and refine its code signing process, the incident has nonetheless disrupted user trust in Microsoft. The average user depends on these certificates and checkpoints to have a way to know that updates and new drivers are safe to install. This disruption could make users wary of future downloads for some time to come.

via Engadget

Suzanne Humphries Suzanne Humphries
Suzanne Humphries was a Commerce Editor for Review Geek. She has over seven years of experience across multiple publications researching and testing products, as well as writing and editing news, reviews, and how-to articles covering software, hardware, entertainment, networking, electronics, gaming, apps, security, finance, and small business. Read Full Bio »