Microsoft gave its digital imprimatur to a rootkit that decrypted encrypted communications and sent them to attacker-controlled servers, the company and outside researchers said.
The blunder allowed the malware to be installed on Windows machines without users receiving a security warning or taking additional steps. For the past 13 years, Microsoft has required third-party drivers and other code running in the Windows kernel to be tested and digitally signed by the OS maker to ensure stability and security. Without a Microsoft certificate, these types of programs cannot be installed by default.
Eavesdropping on SSL connections
Earlier this month, Karsten Hahn, a researcher at security firm G Data, discovered that his company’s malware detection system flagged a driver called Netfilter. He initially thought the detection was a false positive because Microsoft had digitally signed Netfilter under the company’s Windows Hardware Compatibility Program.
After further testing, Hahn determined that the detection was not a false positive. He and fellow researchers decided to find out exactly what the malware does.
“The core functionality seems to eavesdrop on SSL connections,” says reverse engineer Johann Aydinbas wrote on Twitter† “In addition to the IP redirection component, it also installs (and protects) a root certificate to the registry.”
Spend a little more time analyzing the Chinese mains filter driver discovered by @struppiegel†
The core functionality seems to be eavesdropping on SSL connections. In addition to the IP redirection component, it also installs (and protects) a root certificate to the registry.
— Johann Aydinbas (@jaydinbas) June 19, 2021
A rootkit is a type of malware that is written in such a way that it cannot be viewed in file folders, task monitors, and other standard OS functions. A root certificate is used to authenticate traffic sent over connections protected by the Transport Layer Security protocol, which encrypts data in transit and ensures that the server a user is connected to is genuine and not an impostor. Normally, TLS certificates are issued by a Windows Trusted Certificate Authority (or CA). Installing a root certificate in Windows itself allows hackers to bypass the CA requirement.
Microsoft’s digital signature, along with the root certificate that installed the malware, gave the malware stealth and the ability to send decrypted TLS traffic to hxxp://126.96.36.199:2081/s.
Serious Security Flaw
In a short post from Friday, Microsoft wrote: “Microsoft is investigating a malicious actor who is distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account. and checked their submissions for additional signs of malware.”
The post said Microsoft found no evidence that the Windows Hardware Compatibility Program signing certificate or WHCP signing infrastructure was compromised. The company has since added Netfilter discoveries to the Windows Defender AV engine built into Windows and delivered the detections to other AV providers. The company also suspended the account Netfilter had submitted and checked previous submissions for signs of additional malware.
Microsoft has added:
The actor’s activity is limited to the gaming sector, especially in China, and does not seem to focus on corporate environments. We don’t attribute this to a nation state at this point. The aim of the actor is to use the driver to fake their geographic location to cheat the system and play anywhere. The malware allows them to gain an advantage in games and potentially exploit other players by compromising their accounts through common tools such as keyloggers.
It is important to understand that the techniques used in this attack occur post-exploitationmeaning that an attacker must either have already been given administrator privileges to run the installer to update the registry and install the malicious driver the next time the system boots, or convince the user to do so on their behalf.
Despite the limitations noted by the post, the decline is serious. Microsoft’s certification program is designed to block exactly the kind of attack that G Data first discovered. Microsoft has yet to say how it came to digitally sign the malware. Company representatives declined to comment.