Traffic-Redirecting Rootkit Somehow Got a Microsoft-issued Digital Signature (zdnet.com) 26
Cybersecurity researchers at Bitdefender say cyber criminals have been using a rootkit named FiveSys "that somehow made its way through the driver certification process to be digitally signed by Microsoft," reports ZDNet:
The valid signature enables the rootkit — malicious software that allows cyber criminals to access and control infected computers — to appear valid and bypass operating systems restrictions and gain what researchers describe as "virtually unlimited privileges". It's known for cyber criminals to use stolen digital certificates, but in this case, they've managed to acquire a valid one.
It's a still a mystery how cyber criminals were able to get hold of a valid certificate. "Chances is that it was submitted for validation and somehow it got through the checks. While the digital signing requirements detect and stop most of the rootkits, they are not foolproof," Bogdan Botezatu, director of threat research and reporting at Bitdefender told ZDNet. It's uncertain how FiveSys is actually distributed, but researchers believe that it's bundled with cracked software downloads.
Once installed, FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser won't warn about the unknown identity of the proxy. This also blocks other malware from writing on the drivers, in what's likely an attempt to stop other cyber criminals from taking advantage of the compromised system. Analysis of attacks shows that FiveSys rootkit is being used in cyber attacks targeting online gamers, with the aim of stealing login credentials and the ability to hijack in-game purchases. The popularity of online games means that a lot of money can be involved — not only because banking details are connected to accounts, but also because prestigious virtual items can fetch large sums of money when sold, meaning attackers could exploit access to steal and sell these items.
Currently, the attacks are targeting gamers in China — which is where researchers also believe that the attackers are operating from.
"The campaign started slowly in late 2020, but massively expanded during the course of summer 2021," ZDNet adds.
"The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature."
It's a still a mystery how cyber criminals were able to get hold of a valid certificate. "Chances is that it was submitted for validation and somehow it got through the checks. While the digital signing requirements detect and stop most of the rootkits, they are not foolproof," Bogdan Botezatu, director of threat research and reporting at Bitdefender told ZDNet. It's uncertain how FiveSys is actually distributed, but researchers believe that it's bundled with cracked software downloads.
Once installed, FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser won't warn about the unknown identity of the proxy. This also blocks other malware from writing on the drivers, in what's likely an attempt to stop other cyber criminals from taking advantage of the compromised system. Analysis of attacks shows that FiveSys rootkit is being used in cyber attacks targeting online gamers, with the aim of stealing login credentials and the ability to hijack in-game purchases. The popularity of online games means that a lot of money can be involved — not only because banking details are connected to accounts, but also because prestigious virtual items can fetch large sums of money when sold, meaning attackers could exploit access to steal and sell these items.
Currently, the attacks are targeting gamers in China — which is where researchers also believe that the attackers are operating from.
"The campaign started slowly in late 2020, but massively expanded during the course of summer 2021," ZDNet adds.
"The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature."
Re: Somehow. (Score:2)
I laughed. But of course they don't. They don't have insight into the Microsoft process for validation. Are you saying it was a conspiracy? Or what exactly?
Re: (Score:2)
I'm no expert in these matters, but could it be incompetence?
Re: (Score:2)
Somehow it got through the checks. They aren't sure which checks, and they aren't sure when.
There's no source code audit so I'm sure it's not difficult.
All you do is write a program that pretends to be one thing before a certain date then do all the nasty stuff after that date.
Or it only does the nasty stuff if there's a special file on the hard disk that wasn't included during the review.
Or... whatever.
Re: (Score:2)
Somehow it got through the checks. They aren't sure which checks, and they aren't sure when.
There's no source code audit so I'm sure it's not difficult.
So the signature is essentially meaningless? Figures. This is MS after all.
Re:Somehow. (Score:4, Informative)
So the signature is essentially meaningless? Figures. This is MS after all.
The purpose of the signature is not to attest that the software is benign, or that it works, or anything of the sort. The purpose of the signature is to a) identify the software author so they can be pursued in the event of malicious acts, and b) provide a revocable permission for the software to access privileged OS resources so that - exactly as in this case - that permission can be revoked if skulduggery emerges. Binaries that are being signed almost certainly go through some static analysis tool, but hiding malicious payloads from such tools is hardly difficult, and Microsoft does not have time to reverse-engineer every binary to figure out exactly what it really does.
Re: (Score:2)
Oh? So they now know wo did this? Oh, wait, the process of identification is broken as well.
And here is a hint for "revocable permissions": Nobody sane does that with signatures.
Security theater like this makes everybody less secure.
Re: (Score:2)
Security theater like this makes everybody less secure.
Shrug. Arguable. I am not attempting either to excoriate nor justify the system, I'm just stating what it is designed to do.
If we talk about the extremes: if the OS allowed unsigned random code downloaded off the Internet to perform privileged tasks, it would be nice and simple for people to develop and install software, but every computer in the world would be a seething ball of malware infections. (You could speculate about why this doesn't happen on Linux, but probably a big part of the reason is that ve
Re: (Score:2)
CAs routinely sign certs for malware authors, phishing sites, carder forums, and organised crime groups. Their job is to (a) verify domain control and (b) verify that the payment has cleared, with (b) taking priority. That's all.
Anyone who expects anything more from them completely misunderstands how commercial PKI works.
China, the target (Score:2)
It's interesting to hear China is the target? Why? My initial conclusion is the market is the largest. If that's the case, it should certainly be an interesting discussion.
Re: (Score:2)
Microsoft cannot do security competently (Score:2)
This is just one more instance that demonstrates this.
Re: (Score:2)
Does that include Windows for Warships?
Asking for a comrade.
Re: (Score:2)
On one hand, they failed at certificate issuance. On the other, per TFS they succeeded at revocation.
Re: (Score:2)
On one hand, they failed at certificate issuance. On the other, per TFS they succeeded at revocation.
That is a bit like saying they failed fundamentally at fire protection, but at least managed to put out the fire they caused by incompetence after a while.
Re: (Score:2)
Anyone could make the same mistake if they're not doing a full code review, and they generally aren't.
Revocation list? (Score:2)
It seems like Microsoft should have some sort of way to revoke certificates. If they didn't make a way to revoke certificates then it's a massive oversight and some manager should be fired.
Re: (Score:2)
It seems like Microsoft should have some sort of way to revoke certificates. If they didn't make a way to revoke certificates then it's a massive oversight and some manager should be fired.
If only you were able to read some kind of summary...
"The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature."
Re: (Score:2)
If only you were able to read some kind of summary...
way to be insensitive to the illiterate person! ;)
Bribery (Score:2)
If I were a criminal with money, paying a Microsoft employee to get my code through the process would probably be a pretty cheap investment. The returns on sales of such advanced malware could be huge
Proof of ownership? (Score:1)
Seems like MS should require a tie back to a public webserver hosting a hash of the binary with a decent cert and have a tiny monthly fee tied to a verified PayPal account or something so that they only sign legit stuff with a physical nexus.
Hell, I need to get far less important stuff notarized.
I'm all for superior reputation systems, but theirs needs work to be trustworthy.
If summary is correct (Score:2)
Microsoft and malware. (Score:2)
Strange how I'm finding it difficult to read this with a straight face, given their own reputation.
However, it shows that Windows makes things difficult for legitimate driver writers without necessarily stopping criminals. The question must now be one of risks and benefits.
What are the risks posed by certified malware in a system (remembering that the next attack might be against the VA, the military, critical infrastructure, etc, where we know from past incidents that the exposure to threats is far greater
Re: (Score:2)
Perhaps the sham is that we're all making like there's no difference between chopping meat on the kitchen table, and doing brain surgery in an operating theatre -- just use the same tools and the same people and the same techniques!
"Putting everything on the computer" is turning into a disaster because we are using tools which are not fit for purpose, for more and more critical things which we're relying on.
And the remedies are just as pathetic, like, "keep everything patched!" or "this site is secure" beca
Gaming Assets (Score:1)