Microsoft provides a digital imperial to rootkits that decrypt encrypted communications and send them to attacker-controlled servers, the company and outside researchers said.
Such errors allow malware to be installed on Windows machines without the user receiving a security warning or requiring additional steps. Over the past 1
3 years, Microsoft has required third-party drivers and Other code Running in the Windows kernel, tested and digitally signed by the OS manufacturer to ensure stability and security. Without a Microsoft certificate, this type of program cannot be installed by default.eavesdropping on SSL connections
Earlier this month, Karsten Hahn, a researcher at security firm G Data, found that his company’s malware detection system flagged a driver named Netfilter. He initially thought the detection was a false positive because Microsoft had. Digitally signed Netfilter under the company’s Windows hardware compatibility program.
After further testing, Hahn determined the detection was not a false positive. He and fellow researchers decided to find out exactly what the malware did.
“The core functionality appears to be eavesdropping on SSL connections,” reverse engineer Johann Aydinbas wrote on Twitter. “In addition to the IP redirect component, it also installs (and protects) root certificates to the registry.”
Spend more time analyzing the Chinese netfilter drivers discovered by @struppigel:
The core function seems to eavesdrop on SSL connections. In addition to the IP redirection component, it also installs (and protects) root certificates to the registry.
— Johann Aydinbas (@jaydinbas) June 19, 2021
Rootkits are a type of malware written in a way that prevents directory files from being viewed. job inspection and other standard operating system functions Root certificates are used to authenticate traffic transmitted over connections protected by the Transport Layer Security protocol, which encrypts data in transit and ensures that the server to which the user connects is authentic and not an impersonator. TLS certificates are usually issued by a Windows trusted certificate authority (or CA). By installing the root certificate in Windows itself, hackers can bypass the CA requirement.
Microsoft digital signature with the root certificate installed by the malware. This makes the stealth of malware and the ability to send decrypted TLS traffic to hxxp://110.42.4.180:2081/s
Deadly Security Deadline
In a short post on Friday, Microsoft wrote, “Microsoft is investigating malicious actors that distribute malicious drivers within gaming environments. Actors submit drivers for certification through the Windows Hardware Compatibility Program. Drivers are created by third parties. We have suspended their accounts and reviewed their submissions for additional malware signals.”
The post said Microsoft found no evidence that the signing certificates for the Windows Hardware Compatibility Program or the WHCP signing infrastructure were compromised. The company added Netfilter detection to its installed Windows Defender AV engine. in Windows and provides detections to other AV providers. The company also suspends accounts that submit netfilter and monitors previous submissions for further signs of malware.
Microsoft added:
The actor’s activities are limited to the game sector. especially in China And it doesn’t appear to be aimed at the corporate environment. We do not identify this as a national performer at this time. The actor’s goal is to use the driver to fake geolocation to cheat the system and play from anywhere. Malware gives them an advantage in games and may take advantage of other players by compromising their accounts through common tools such as keyloggers.
It is important to understand that the techniques used in this attack occur. after exploitationThis means that an attacker will need administrator privileges and then can run the installer to update the registry and install malicious drivers the next time the system boots or convince the user to take action. represent
Despite the posted limitations stated. But the lapse is a serious matter. Microsoft’s certification program is designed to precisely protect against first-discovered attacks on G Data. Microsoft has yet to say how digitally signing malware it is. A company representative declined to provide an explanation.
