Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Security

Traffic-Redirecting Rootkit Somehow Got a Microsoft-issued Digital Signature (zdnet.com) 26

Cybersecurity researchers at Bitdefender say cyber criminals have been using a rootkit named FiveSys "that somehow made its way through the driver certification process to be digitally signed by Microsoft," reports ZDNet: The valid signature enables the rootkit — malicious software that allows cyber criminals to access and control infected computers — to appear valid and bypass operating systems restrictions and gain what researchers describe as "virtually unlimited privileges". It's known for cyber criminals to use stolen digital certificates, but in this case, they've managed to acquire a valid one.

It's a still a mystery how cyber criminals were able to get hold of a valid certificate. "Chances is that it was submitted for validation and somehow it got through the checks. While the digital signing requirements detect and stop most of the rootkits, they are not foolproof," Bogdan Botezatu, director of threat research and reporting at Bitdefender told ZDNet. It's uncertain how FiveSys is actually distributed, but researchers believe that it's bundled with cracked software downloads.

Once installed, FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser won't warn about the unknown identity of the proxy. This also blocks other malware from writing on the drivers, in what's likely an attempt to stop other cyber criminals from taking advantage of the compromised system. Analysis of attacks shows that FiveSys rootkit is being used in cyber attacks targeting online gamers, with the aim of stealing login credentials and the ability to hijack in-game purchases. The popularity of online games means that a lot of money can be involved — not only because banking details are connected to accounts, but also because prestigious virtual items can fetch large sums of money when sold, meaning attackers could exploit access to steal and sell these items.

Currently, the attacks are targeting gamers in China — which is where researchers also believe that the attackers are operating from.

"The campaign started slowly in late 2020, but massively expanded during the course of summer 2021," ZDNet adds.

"The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature."
This discussion has been archived. No new comments can be posted.

Traffic-Redirecting Rootkit Somehow Got a Microsoft-issued Digital Signature

Comments Filter:
  • It's interesting to hear China is the target? Why? My initial conclusion is the market is the largest. If that's the case, it should certainly be an interesting discussion.

    • by larwe ( 858929 )
      There are many possible explanations, including that the authors have found some protocol vulnerability in a Chinese-hosted, popular-in-China game that lets them siphon out things of value. Hunt where the prey is, not where it isn't.
  • This is just one more instance that demonstrates this.

    • Does that include Windows for Warships?
      Asking for a comrade.

    • On one hand, they failed at certificate issuance. On the other, per TFS they succeeded at revocation.

      • by gweihir ( 88907 )

        On one hand, they failed at certificate issuance. On the other, per TFS they succeeded at revocation.

        That is a bit like saying they failed fundamentally at fire protection, but at least managed to put out the fire they caused by incompetence after a while.

        • Anyone could make the same mistake if they're not doing a full code review, and they generally aren't.

  • It seems like Microsoft should have some sort of way to revoke certificates. If they didn't make a way to revoke certificates then it's a massive oversight and some manager should be fired.

    • It seems like Microsoft should have some sort of way to revoke certificates. If they didn't make a way to revoke certificates then it's a massive oversight and some manager should be fired.

      If only you were able to read some kind of summary...

      "The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature."

  • If I were a criminal with money, paying a Microsoft employee to get my code through the process would probably be a pretty cheap investment. The returns on sales of such advanced malware could be huge

  • Seems like MS should require a tie back to a public webserver hosting a hash of the binary with a decent cert and have a tiny monthly fee tied to a verified PayPal account or something so that they only sign legit stuff with a physical nexus.

    Hell, I need to get far less important stuff notarized.

    I'm all for superior reputation systems, but theirs needs work to be trustworthy.

  • IE "Currently, the attacks are targeting gamers in China — which is where researchers also believe that the attackers are operating from.", I predict several executions in the next month.
  • Strange how I'm finding it difficult to read this with a straight face, given their own reputation.

    However, it shows that Windows makes things difficult for legitimate driver writers without necessarily stopping criminals. The question must now be one of risks and benefits.

    What are the risks posed by certified malware in a system (remembering that the next attack might be against the VA, the military, critical infrastructure, etc, where we know from past incidents that the exposure to threats is far greater

    • by Bongo ( 13261 )

      Perhaps the sham is that we're all making like there's no difference between chopping meat on the kitchen table, and doing brain surgery in an operating theatre -- just use the same tools and the same people and the same techniques!

      "Putting everything on the computer" is turning into a disaster because we are using tools which are not fit for purpose, for more and more critical things which we're relying on.

      And the remedies are just as pathetic, like, "keep everything patched!" or "this site is secure" beca

  • It looks like gaming assets are becoming expensive. Gamers should encrypt and lock their items to keep them safe - if the items can only be kept in the cloud, there is little alternative to protection.

The most delightful day after the one on which you buy a cottage in the country is the one on which you resell it. -- J. Brecheux

Working...