Microsoft Certified A Driver That Carried Rootkit Malware, Connecting to Servers in China

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee users that a code has not been altered or corrupted. Operating system makes use code signing to help users steer clear of malicious software. Microsoft seems to have messed up with a specific code signing. The company has confirmed that it mistakenly signed a malicious driver for Windows that contains a rootkit malware. The third-party driver, named Netfilter, was said to be communicating with Chinese command-and-control servers, a report in Bleeping Computer said. Security researcher Karsten Hahn first found the malicious driver last week, the report says.

Last week, the security researchers flagged what appeared to be a ‘false positive,’ but it wasn’t. The driver (Netfilter) was seen communicating with China-based command and control servers. The driver didn’t provide any legitimate functionality and as such raised suspicions. It is not clear as to how the driver containing the rootkit malware made it through Microsoft’s certificate signing process, although the company said that it was investigating what happened and would be ‘refining’ the signing process. There is also no evidence to show that the malware developers stole Microsoft’s certificates. Microsoft believes that this was not the work of state-sponsored hackers.