{"id":285783,"date":"2021-06-28T19:04:47","date_gmt":"2021-06-28T16:04:47","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/after-approving-rootkit-malware-microsoft-will-refine-code-signing-process-review-geek\/"},"modified":"2021-06-28T19:04:47","modified_gmt":"2021-06-28T16:04:47","slug":"after-approving-rootkit-malware-microsoft-will-refine-code-signing-process-review-geek","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/after-approving-rootkit-malware-microsoft-will-refine-code-signing-process-review-geek\/","title":{"rendered":"#After Approving Rootkit Malware, Microsoft Will Refine Code Signing Process \u2013 Review Geek"},"content":{"rendered":"

“#After App<\/a>roving Rootkit Malware, Microsoft Will Refine Code Signing Process \u2013 Review Geek”<\/strong><\/p>\n

\n
\"Microsoft
Sundry Photography\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n

Microsoft <\/span>signed off<\/span><\/a> on a driver that contains rootkit malware. Despite having processes and checkpoints\u2014like code signing and the Windows Hardware Compatibility Program (WHCP)\u2014in place to prevent such events from happening, the driver still managed to pass through.<\/span><\/p>\n

The third-party Windows driver, Netfilter, was observed communicating with Chinese command-and-control IPs. Netfilter was distributed within the gaming community. It was first detected by G Data malware analyst Karsten Hahn (and soon further vetted by the infosec community at large and <\/span>Bleeping Computer<\/span><\/i><\/a>), who immedia<\/a>tely shared notice of the breach <\/span>on Twitter<\/span><\/a> and notified Microsoft.<\/span><\/p>\n

\n

\u2622\ufe0fNetwork filter rootkit that connects to this IP in China:
hxxp:\/\/110.42.4.180:2081\/u<\/p>\n

It does not look like Moriya (signature will be corrected asap)<\/p>\n

File is signed by Microsoft.#rootkit<\/a> #netfilter<\/a>https:\/\/t.co\/lhvmmgHn6w<\/a><\/p>\n

\u2014 Karsten Hahn (@struppigel) June 17, 2021<\/a><\/p>\n<\/blockquote>\n

Though Microsoft has <\/span>confirmed<\/span><\/a> that it did, indeed, sign off on the driver, there is no clear information yet regarding how the driver made it through the company\u2019s certificate signing process. Microsoft is currently investigating and said it \u201cwill be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections.\u201d<\/span><\/p>\n

Currently, there is no evidence that the malware writers stole certificates, or that the activity can be attributed to a nation-state actor. Microsoft also noted that the malware has had a limited impact, taking aim at game<\/a>rs and not enterprise users. \u201cWe have suspended the account and reviewed their submissions for additional signs of malware,\u201d Microsoft shared in a <\/span>blog update<\/span><\/a>.<\/span><\/p>\n

Despite the malware seeming to have little to no impact, and Microsoft eagerly working to resolve the issue and refine its code signing process, the incident has nonetheless disrupted user trust in Microsoft. The average user depends on these certificates and checkpoints to have a way to know that updates and new drivers are safe to install. This disruption could make users wary of future downloads for some time to come.\u00a0<\/span><\/p>\n

via <\/span>Engadget<\/span><\/a><\/small>\n<\/div>\n