Microsoft Publicly Confirms Signing a Malicious Malware Drive Called ‘Netfilter’

Microsoft Publicly Confirms Signing a Malicious Malware Drive Called ‘Netfilter’
Getty Image: Jeenah Moon

Microsoft recently announced that it signed a malicious driver, "Netfilter," a rootkit malware.

Technically, the company recently signed a critical driver that is being distributed within the entire gaming community.

Microsoft Malicious Malware

Bleeping Computer reported that the malicious drive that Microsoft signed is called "Netfilter," and it is a rootkit malware. Upon observing the rootkit, Microsoft found out that it communicated with Chinese command-and-control IPs (C2).

Based on the report, Karsten Hahn, a G Data malware analyst, was the first one who noticed the "Netfilter."

After noticing the malware, the infosec community helped him trace, analyze, and identify the malicious drivers that bore Microsoft's seal.

To everyone's surprise, the Chinese command-and-control IPs belong to one of the companies that the United States Department of Defense labeled as "Community Chinese Military."

As a result, the event exposed various threats to the entire software supply-chain security. However, this incident is to be blamed on Microsoft's weak verification of its code-signing process.

What is the Rootkit 'Netfilter' Driver Signed by Microsoft?

According to Bleeping Computer, the cybersecurity alert systems of G Data flagged what seemed to be a false positive -- or so they thought.

It was indeed the Rootkin "Netfilter" Driver that Microsoft recently signed.

The malicious "Netfilter" in question provided no legitimate activity in terms of functionality. As a result, it raised certain suspicions.

Because of this, Hahn decided to tweet about it.

Hahn stated that ever since Windows Vista, all codes that will run on kernel-mode must be tested and signed right before its public release. Microsoft has to ensure that it is stable enough to run on the operating system.

He added that drivers that do not have a Microsoft certificate could only be installed by default.

Microsoft Admits Its Mistake

After publicly announcing that they made a mistake, Microsoft's team immediately started investigating the incident. However, the company still has not found any solid evidence regarding the stolen code-signing certificates used.

It reported that the mishap seemed to have come from the threat actor that followed Microsoft's submitting the malicious rootkit "Netfilter" drivers.

On top of this, acquiring the binary signed by Microsoft had to be acquired in a legitimate manner.

The tech giant announced that it has already suspended the account and is now being reviewed to submit added malware signs.

So far, Microsoft has refused to make it a global issue.

What's Next for Microsoft?

In other news, Windows 11 will start rolling out later in 2021. It will be for all Windows 10 users. But despite being a free upgrade, it might be a little complicated as some of the users' hardware tend to be incompatible with the new Windows 11.

Despite Microsoft's effort to alter its hardware requirements, Windows 11 seems only to support 8th-Gen and more recent Intel Core processors.

It includes Celeron, Pentium, and Apollo Lake processors.

This article is owned by Tech Times

Written by Fran Sanders

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics