Microsoft has launched an investigation to find out why it approved a new driver, called “Netfilter”, despite including malicious software that captures communications from the victim’s computer and communicates them to an external server.
The scandal started when cybersecurity researcher Karsten Hahn discovered what, at the time, he believed to be a “false positive”; these are very common in programs that are mistaken for malware, but are actually benign. Hahn was confident that this program was not malicious, as Microsoft itself had signed the code, as explained on BleepingComputer .
Since the release of Windows Vista, Microsoft has forced hardware developers to digitally sign their device drivers; To do this, it has a compatibility program, WHCP, which allows authors to submit the code for Microsoft to sign. Windows does not run drivers that have not been signed correctly, so it is a way to ensure that the drivers of our device are correct and not an attack attempt.
However, that’s just what Netfilter was. After a more exhaustive investigation, the intentions of this program were evident, including the discovery of a “dropper”, software that is responsible for downloading and installing the malware on the computer.
The biggest concern is that, once installed, the malware is able to make a connection to an external server located in China ; And although there were rumors that this server belongs to a government company, that has not been officially confirmed.
Interestingly, this malware is aimed at gamers, and according to Microsoft itself, the goal of its creators would be to use the driver to gain an advantage in games and compromise the accounts of other players, perhaps obtaining data such as the passwords they use in their accounts.
However, the company clarifies that these attacks can only be carried out if the attacker has already gained access to the computer to install the fake driver, or trick the victim into installing it on their own; for example, we could receive “the new driver for your graphics” and install it, thinking that it is real because Windows has not shown any warning, as it does with drivers that are not signed.
There are still many mysteries to solve with Netfilter, but the biggest of all is what happened during Microsoft’s approval process for such malware to be digitally signed. In its day, Microsoft presented the signatures as a great improvement in security, but not everyone was happy: many devices stopped working in Windows Vista because they did not receive signed drivers. Now, Microsoft promises to refine the process it uses to validate and sign drivers.