Microsoft confirms signing Netfilter rootkit malware
Over the last few months, we have uncovered evidence that the infamous Netfilter rootkit has been signing .exe files. When Windows boots, the operating system reads these binary files and runs their contents, which include malicious code. The signature that Netfilter uses on .exe files can be forged, making it a potential malware delivery vehicle. Although Netfilter has not been actively used to spread malware in the past, its ability to bring malicious code to the Windows system for execution is of significant interest to security researchers.
Microsoft has confirmed that one of its services had been signing a malware rootkit of Netfilter’s source code. The software giant has been working on improving its rootkit detection and removal capabilities, and it was unable to perform this function properly in one of its services. Microsoft has just released the statement, after the news that has been spread as a computer virus. The rootkit has been signed with a digital signature from Microsoft’s software development kit, which is used to sign the software. The company has also released the public certificate, which was used to generate the signature.
This week, CERT Division at US-CERT announced that it had discovered a blog, written using the Netfilter rootkit malware, that was hosted on .onion domains. The blog was using a fictitious name, but the malware authors used a post number to keep track of the blog.
Vlad Turiceanu Editor-in-Chief
Passionate about technology, Windows and anything with an on/off button, he spends most of his time developing new skills and learning more about the world of technology. With a strong background in personal computers,… Read more
Have you wondered what Microsoft is doing right now besides preparing Windows 11 for a major release later this year?
This time, the Redmond-based company was really careless and blessed a malicious driver that spread to game environments.
This is no longer a rumor, as Microsoft has already admitted to this major fiasco.
Netfilter driver is a Microsoftrootkit
The driver in question, called Netfilter, is actually a rootkit that was spotted communicating with Chinese command and control (C2) IP addresses.
Analysts at security firm G Data discovered the occurrence last week and have already begun to detect and analyze malicious drivers with the Microsoft seal.
Needless to say, this incident has once again drawn attention to security risks in the software supply chain, but this time it started with a weakness in Microsoft’s code signing process.
G Data researchers spent a lot of time on a thorough analysis of the driver and concluded that it was malware. As stated in the blog post, they were deeply shocked by the discoveries they made.
It should be noted that the IP C2 220.127.116.11 that the malicious Netfilter driver connects to belongs to Ningbo Zhuo Zhi Innovation Network Technology Co.
Microsoft pleaded guilty in this sensitive case
According to the tech giant, the threat is primarily aimed at the gaming industry in China, but there is no indication at this time that any companies have been affected.
Microsoft has also so far refrained from attributing the incident to a specific state.
We suspended the account and checked the content for other signs of malware.
In case you haven’t heard: Falsely signed binaries can often be used by sophisticated third parties to enable large-scale attacks on software supply chains.
What’s worse for Microsoft is that this incident revealed vulnerabilities in the legitimate code signing process, which were exploited by malicious third parties to get Microsoft to sign code without compromising the certificates.
We will follow the developments of this story and keep you posted.
Was this page helpful? Thank you.
Not enough details.
It’s hard to understand
Contact an expert
Take part in the discussionMicrosoft today has confirmed the signing of a Netfilter rootkit. The company knew about the software since April of this year, but so far it insisted that the signing was a mistake. Now, however, the company has admitted that the software was indeed signed and that it should not have been.. Read more about microsoft admits signing malicious malware rootkit and let us know what you think.
microsoft signing malware rootkitmistakenly signing malicious rootkitmicrosoft admits mistakenly signing rootkitmicrosoft mistakenly signing malware rootkitmicrosoft admits mistakenly signing malware rootkitmicrosoft admits mistakenly signing malicious malware,People also search for,Privacy settings,How Search works,microsoft admits mistakenly signing malware rootkit,microsoft admits mistakenly signing malicious malware,microsoft signing malware rootkit,microsoft mistakenly signing malicious malware rootkit,microsoft admits signing malicious malware rootkit,mistakenly signing malicious rootkit,microsoft admits mistakenly signing rootkit,microsoft mistakenly signing malware rootkit