Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Security

Microsoft Admits to Mistakenly Signing a Malicious Malware Rootkit (gdatasoftware.com) 43

Bleeping Computer reports: Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control IPs.

G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec community in tracing and analyzing the malicious drivers bearing the seal of Microsoft... This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.

G Data writes: We forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.
In a Friday blog post, Microsoft said it was contacting other antivirus software vendors "so they can proactively deploy detections," but also emphasized the attack's limited scope: The actor's activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.

It's important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.

We will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections. There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint.

This discussion has been archived. No new comments can be posted.

Microsoft Admits to Mistakenly Signing a Malicious Malware Rootkit

Comments Filter:
  • by fahrbot-bot ( 874524 ) on Saturday June 26, 2021 @05:37PM (#61524558)

    They misspelled "Windows". :-)

  • esports teams cheating in this way?

    • by evanh ( 627108 )

      No. Other sites are saying it clearly has military links. M$ just isn't prepared to say so yet.

      The presumption is the targets of the state have been using gaming cafes to avoid scrutiny.

  • merry-go-round. Microsoft signs the virus, helps deploy the virus then takes a bow when they add the virus definition to BitDefender!
  • "activity is limited to the gaming sector specifically in China" does Microsoft sign all the "authorized" Windows programs in China for the CCP. If so seems Microsoft and the CCP are joined at the hip.
    • But then all corporations/industries/sports leagues/government entities that operate in China complies 100% with the orders from the CCP or they do not operate there.
    • "activity is limited to the gaming sector specifically in China" does Microsoft sign all the "authorized" Windows programs in China for the CCP. If so seems Microsoft and the CCP are joined at the hip.

      Microsoft signs anything they normally deem not to be malware (though clearly that isn't perfect). Having China at a customer does not mean they are "joined at the hip" especially since that "joined at the hip" customer is one that is actively trying to replace Microsoft.

      I'd prefer MS deal with the CCP than have some private entity act as a morality police.

  • You know, those responsible for most of the current security mess...

    • What current security mess? You do reaslise that the overwhelming majority of attacks on systems do not target OS level vulnerabilities and instead target users right? Wait... it's gweihir. Of course you don't. Keep believing security is all about picking a vendor, just do us a favour and don't ever work on anything important.

      • Wait, youâ(TM)re wrong. There are epic numbers of holes in OS code, orders of magnitude greater in Microsoft wares than other OS.
        • by gweihir ( 88907 )

          Wait, youâ(TM)re wrong. There are epic numbers of holes in OS code, orders of magnitude greater in Microsoft wares than other OS.

          Unfortunately, yes. Also, MS is setting a bad example, lowering standards overall.

      • by gweihir ( 88907 )

        Just to name a few problems MS caused: Outlook, bad browser security, OS patches so unreliable they get installed with a long delay causing security problems, AD insecurities for lateral movement, laughable protection against local privilege escalation, the more than occasional remote exploit, etc.

        Incidentally, I am am IT security auditor, IT security consultant and IT security lecturer. If I really screw up, it may well make the international press. (Not with my name attached, of course, so I may well be l

        • Just to name a few problems MS caused

          Thanks for your competent use of past tense. But there's one that I need to mock you over:

          OS patches so unreliable they get installed with a long delay causing security problems

          Bahahahahahahahaha. Yeah MS, the company known for forcefully pushing critical updates with no recourse and little warning, for pushing updates at such a high cadence that the entire industry asked them to slow down, the company often mocked and complained about because Slashdot users themselves don't want to reboot to apply updates, that MS is pushing patches with long delay. hahahah. Man your comedy routine is golden

          • OS patches so unreliable they get installed with a long delay causing security problems

            Bahahahahahahahaha. Yeah MS, the company known for forcefully pushing critical updates with no recourse and little warning, for pushing updates at such a high cadence that the entire industry asked them to slow down, the company often mocked and complained about because Slashdot users themselves don't want to reboot to apply updates, that MS is pushing patches with long delay.

            Your argument completely fails to support the idea that the patches are not delayed before they are forced on users.

            Microsoft has done all of the following: Releasing patches early and having to re-patch; releasing patches in a timely fashion; releasing patches after very, very long delays.

            That they force patches on users once released is completely and totally irrelevant to the argument at hand.

            • by gweihir ( 88907 )

              Actually I was mostly thinking about the enterprise version, were MS cannot force anything. Well, they could force themselves out of the enterprise market...

              I have seen delays of security critical patches in enterprises for several weeks just because in-house certification took so long. If MS had reliable patches that do not change functionality beyond the absolute necessary, critical patches would get installed a lot faster, making things a lot more reliable. Contrast that with, for example, Debian Linux.

          • by gweihir ( 88907 )

            Bahahahahahahahaha. Yeah MS, the company known for forcefully pushing critical updates with no recourse and little warning, for pushing updates at such a high cadence that the entire industry asked them to slow down, the company often mocked and complained about because Slashdot users themselves don't want to reboot to apply updates, that MS is pushing patches with long delay. hahahah. Man your comedy routine is golden. 10/10 Everyone should see your stand up show.

            I see you are functionally illiterate and clueless. Obviously I am talking about users delaying patch installation, most notably in the enterprise version. Incidentally, if you had 2 brain cells to rub together, it would have been obvious even to you that not MS is delaying patch installation because of unreliable patches, but users and enterprises that have gotten bitten by that unreliability before.

  • But now they invite/enable root kits. Same old Microsoft. Their level of inadequacy over 20+ years is simply stunning.
  • They test for compatibility for a range of configurations. They can't reasonably check all third party drivers for explicit backdoors, let alone for obfuscated ones.

    • Indeed WHQL is not. I'm just curious why you bring up this completely irrelevant concept which has nothing to do with Microsoft's code-signing process which exists for a completely different purpose.

      Hint: All drivers need to be code-signed. Not all drivers are WHQL.

      • Correctamundo.
        There seem to be a lot of people in this discussion who really have no idea what the fuck they're talking about.
        It perplexes me. If you don't know shit about a topic, why opine as if you do?
  • by larwe ( 858929 ) on Saturday June 26, 2021 @09:47PM (#61525170)
    It's easy to sling off at Microsoft for being too lax, but let's be pragmatic here. Microsoft is a central signing authority for code trust. You are a developer or hardware OEM who needs to release new code on Monday. Do you want a six week approval process involving face to face visits, scanning of passports and other identity documents, blood samples and three-factor authentication? Or, do you want to upload your new build to the signing portal, click "pls approve" and get a signed binary you can distribute?
    • Yeah, it'll be so great when I upgrade to a new computer with a TPM module and current-gen CPU. Then I can run Windows 11 and still get malware, because Microsoft accidentally signed it. Oops.

      • by larwe ( 858929 )
        Yes, that does sound like an irksome sequence of events. But again, I ask - where do you set the dial? The only system that will never approve malware is a system that will never approve anything. And I'll point out something else - which is that I bet practically every non-corp-image Windows PC is running randomly downloaded _unsigned_ code as well. Given the realities of the Windows ecosystem, both in terms of the disparate sources of code and the uncontrollable behaviors of users installing code - where
      • Yeah, it'll be so great when I upgrade to a new computer with a TPM module and current-gen CPU.

        If you have a machine that doesn't have a TPM1.2 at least, you should probably not install Windows 11. Or 10.

        I own 3 pre-skylake machines. All have TPM1.2s.

        I think what's more likely is you're just making noise to make noise.

    • This is just a public example of their fuckups. Microsoft was compromised a long time ago. Why do you think Navy still uses Windows 95?

    • Do you want a six week approval process involving face to face visits, scanning of passports and other identity documents, blood samples and three-factor authentication?

      Yes. If it's that much trouble then they might actually put some effort into eliminating all the bugs the first time around.

    • Why sign code that you aren't going to check? Might as well drop the theater altogether.

      • by larwe ( 858929 ) on Sunday June 27, 2021 @10:27AM (#61526312)
        Does MS even perform static analysis of code they sign? Regardless, however, the signing process does not exist to certify code as intrinsically safe, it exists to 1) authenticate the *source* of the code (an identifiable entity with whom MS has a business relationship) and 2) to provide a mechanism for revoking said signature in the event that skulduggery is detected, as it was in this case. It's not a seal that says "This software is safe", it's a seal that says "This software comes from someone I know how to contact if there's a problem, and I can pull this seal off any time I like".

Overflow on /dev/null, please empty the bit bucket.

Working...