Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee users that a code has not been altered or corrupted. Operating system makes use code signing to help users steer clear of malicious software. Microsoft seems to have messed up with a specific code signing. The company has confirmed that it mistakenly signed a malicious driver for Windows that contains a rootkit malware. The third-party driver, named Netfilter, was said to be communicating with Chinese command-and-control servers, a report in Bleeping Computer said. Security researcher Karsten Hahn first found the malicious driver last week, the report says.
Last week, the security researchers flagged what appeared to be a ‘false positive,’ but it wasn’t. The driver (Netfilter) was seen communicating with China-based command and control servers. The driver didn’t provide any legitimate functionality and as such raised suspicions. It is not clear as to how the driver containing the rootkit malware made it through Microsoft’s certificate signing process, although the company said that it was investigating what happened and would be ‘refining’ the signing process. There is also no evidence to show that the malware developers stole Microsoft’s certificates. Microsoft believes that this was not the work of state-sponsored hackers.
The maker of the driver, named Ningbo Zhuo Zhi Innovation Network Technology was working with Microsoft to study and patch any known security holes, includin for the affected hardware. Users will get clean drivers through Windows updates. Microsoft said that the rogue driver had a limited impact and was aimed at gamers. It isn’t known to have compromised any enterprise users.
A rootkit works only “post exploitation," according to Microsoft - users need to have obtained administrator-level access on a PC to install the driver. Simply put, Netfilter shouldn’t pose a threat unless users go out of their way to load it.