/?pid=22704

Updated:09:26 AM EST Nov 29
this is ggmania.com subsite

NEWS
rss feed 
 
top 100
archive
ARTICLES
CD/DVD tools
Free Antivir
Security
Drivers
Utilities
FORUMS
LINKS


(C) 2006-2025 TechAmok Independent
All Rights Reserved.


 
 Microsoft digitally signs malicious rootkit driver - TechAmok

Microsoft digitally signs malicious rootkit driver - [security]
05:37 PM EDT - Jun,29 2021 - post a comment

Microsoft gave its digital imprimatur to a rootkit that decrypted encrypted communications and sent them to attacker-controlled servers, the company and outside researchers said. The blunder allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps. For the past 13 years, Microsoft has required third-party drivers and other code that runs in the Windows kernel to be tested and digitally signed by the OS maker to ensure stability and security. Without a Microsoft certificate, these types of programs can't be installed by default.

Earlier this month, Karsten Hahn, a researcher at security firm G Data, found that his company's malware detection system flagged a driver named Netfilter. He initially thought the detection was a false positive because Microsoft had digitally signed Netfilter under the company's Windows Hardware Compatibility Program. After further testing, Hahn determined that the detection wasn't a false positive. He and fellow researchers decided to figure out precisely what the malware does. "The core functionality seems to be eavesdropping on SSL connections," reverse engineer Johann Aydinbas wrote on Twitter. "In addition to the IP redirecting component, it also installs (and protects) a root certificate to the registry." A rootkit is a type of malware that is written in a way that prevents it from being viewed in file directories, task monitors, and other standard OS functions. A root certificate is used to authenticate traffic sent through connections protected by the Transport Layer Security protocol, which encrypts data in transit and ensures the server to which a user is connected is genuine and not an imposter. Normally, TLS certificates are issued by a Windows-trusted certificate authority (or CA). By installing a root certificate in Windows itself, hackers can bypass the CA requirement. Microsoft's digital signature, along with the root certificate the malware installed, gave the malware stealth and the ability to send decrypted TLS traffic to hxxp://110.42.4.180:2081/s.

In a brief post from Friday, Microsoft wrote, "Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware." The post said that Microsoft has found no evidence that either its signing certificate for the Windows Hardware Compatibility Program or its WHCP signing infrastructure had been compromised. The company has since added Netfilter detections to the Windows Defender AV engine built into Windows and provided the detections to other AV providers. The company also suspended the account that submitted Netfilter and reviewed previous submissions for signs of additional malware.


Add your comment (free registrationrequired)

Short overview of recent news articles

Nov,29 2025 20 TOP ALIEXPRESS products for BLACK FRIDAY
Nov,26 2025 Stop Wasting Money on Premium Monitors
Nov,23 2025 The Blackest Friday - Tech News Nov 23
Nov,23 2025 T-Roc: Will this new VW be the best car of 2026?
Nov,23 2025 Can I build my own Steam Machine?
Nov,22 2025 50 NEXT-LEVEL Gadgets Every Man NEEDS to See
Nov,22 2025 RETURN TO SILENT HILL Trailer (2026)
Nov,20 2025 I was WRONG about the Porsche 911 GT3 (or was I?)
Nov,20 2025 Pi GPT Tool Turns Raspberry Pi into a ChatGPT-Powered Smart Device
Nov,17 2025 Rainbow Six Siege X - Official 'Team Rainbow's Last Mission'
Nov,17 2025 Stranger Things Seasons 1-4 Recap
Nov,16 2025 Kill Bill: The Whole Bloody Affair - Official Trailer (2025) Uma
Nov,15 2025 The Devil Wears Prada 2 - Official Teaser Trailer (2026) Meryl
Nov,15 2025 Valve’s New Console and Controller - STEAM Machine & STEAM
Nov,15 2025 Valve Steam Machine, Desktop SteamOS, Steam Frame VR, & Controller |
Nov,01 2025 Battlefield REDSEC - Official Live-Action Trailer
Nov,01 2025 What's the Best PC Upgrade (besides CPU/GPU)?
Oct,31 2025 Directive 8020 - RTX On Trailer
Oct,30 2025 Stranger Things 5 - Official Trailer
Oct,29 2025 AMD Releases Software Adrenalin Edition 25.10.2 WHQL Drivers
Oct,29 2025 Exploding AMD CPUs | Investigating ASRock's Murderboards
Oct,29 2025 Setting Up Our First Huge Gaming Event was CHAOS
Oct,27 2025 Malware of the Future: What an infected system looks like in 2025
Oct,27 2025 F1: Race Highlights | 2025 Mexico City Grand Prix
Oct,26 2025 F1: Qualifying Highlights | 2025 Mexico City Grand Prix
Oct,25 2025 New Big Windows 11 25H2 October Update - New Taskbar Battery Icons
Oct,25 2025 Apple Prepping 'Transfer to Android' Feature, Including 3rd-Party
Oct,24 2025 HW News - RIP Internet, RAM Prices Skyrocket from AI Demand, Intel
Oct,21 2025 Retro Gaming PC Upgrades go WRONG!
Oct,21 2025 How social media has ruined us - the more time you spend online, the
Oct,20 2025 FERRARI 12 CILINDRI // 340KMH REVIEW on AUTOBAHN
Oct,20 2025 ROG Xbox Ally X - a PC Gamer's Perspective
Oct,20 2025 Race Highlights | 2025 United States Grand Prix
Oct,18 2025 RedMagic Puts Liquid Cooling in its New Gaming Phone
Oct,18 2025 Russia Says U.S. Is Planning a $37 Trillion Crypto Reset
Oct,18 2025 Tor Browser says no to Firefox's AI features as it removes them
Oct,14 2025 NVIDIA GeForce 581.57 WHQL Driver
Oct,13 2025 Samsung One UI 8.5 vs iOS 26 - COMPARISON
Oct,12 2025 Google Turned Down by Supreme Court, Must Open up App Payments
Oct,10 2025 AMD releases new 25.10.1 preview graphics driver with Battlefield 6
>> News Archive <<

TechAmok - Privacy Policy        loading time:0.01secs