Microsoft accidentally signed a malware-rigged driver targeting gamers

Microsoft is investigating the incident

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Responding to what first appeared to be a false positive,cybersecurityresearchers caught hold of a malicious driver that was officially signed byMicrosoft.

Karsten Hahn, amalwareanalyst with security vendorG Datablogged about Microsoft’s faux pas, whilesharing his observationsabout the driver’s malicious activities.

Analysis revealed that the driver, named Netfilter, was in fact a rootkit that redirected traffic to Chinese command and control (C&C) servers.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

“Last week our alert system notified us of a possible false positive because we detected a driver named ‘Netfilter’ that was signed by Microsoft…In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures toWindows Defenderand are now conducting an internal investigation,” wrote Hahn.

Malicious driver

Hahn explains that, since the launch of Windows Vista, all code that runs in the kernel space needs to be tested and signed by Microsoft. Simply put, any driver that doesn’t bear the official seal of approval from Microsoft cannot be installed “by default.”

As per Hahn’s analysis, the Netfilter driver was flagged because it didn’t appear to provide any “legitimate functionality” and was exhibiting non-normal behavior by communicating with China-based C&C IPs.

According toBleeping Computer,Microsoft has confirmed it accidentally signed the malicious driver, which is being distributed within gaming environments.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Software supply chain threat

Hahn states that Microsoft is actively investigating how the driver managed to pass the signing process.

Bleeping Computeradds that the software giant hasn’t found evidence that the driver was signed by stolen code-signing certificates. This would seem to suggest the malicious actor got the seal of approval following due process.

This is an even more worrying prospect, as it points to chinks in Microsoft’s driver signing process that might have been exploited to poison the software supply chain, with potential ramifications for businesses of all sizes.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Sihoo Doro S100 ergonomic office chair review