CATEGORIES
home News

Microsoft Admits It Signed Rootkit Malware That Phones Home To Chinese Military

by Ben FunkSaturday, June 26, 2021, 10:47 AM EDT
download

Ever since the introduction of Windows Vista in early 2007, Microsoft has enforced the rule that Windows drivers must carry digital signatures by default. Any software that runs in kernel mode, in fact, has to be signed by the company. This is a security measure that should prevent malicious software from digging its claws in too deep. However, what happens when Microsoft gives its blessing to a rootkit?

That's what happened a few months ago and was just now discovered thanks to G DATA Software security analyst Karsten Hahn. Initially, the company received a false-positive alert from a driver that was signed by Microsoft. After a lot of investigation into the matter, it turns out that the positive was valid. A driver signed by Microsoft was redirecting traffic bound for hundreds of IP addresses to a server in China. 

The WHOIS record for the IP address in question belongs to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. According to the United States Department of Defense, the company is a front for the Chinese military. The rogue server is still active, and currently sends back a string of URLs, which is then parsed by the driver. Those addresses all serve different parts of the driver returning configuration information. One points to a text file which contains the list of IP addresses that should be redirected and where to redirect them. 

malware

Windows Defender signatures now look for this rootkit, which is apparently still under active use. HotHardware has visited the URLs used by the rootkit and we can confirm that they're all still active. Users apparently had no indication that they'd been redirected, so it seems the purpose of intercepting traffic was for information theft. That's par for the course, but the digital signature is a new and very dangerous wrinkle. 

The question remains open, though: how did a rootkit make it through Microsoft's digital signature process? That's the subject that the company is actively investigating internally. The last time the company had a digital signature issue, certificates belonging to Realtek were stolen as part of Stuxnet. Hahn's G DATA blog post only indicates that Microsoft didn't know how this happened. 

In a statement to Bleeping Computer, the Microsoft elaborated, saying that unlike past signature snafus, this one didn't involve stolen certificates: 

Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware.

Microsoft's statement says that most of the targeted systems were gaming cafes in China, but the company has not yet blamed state actors, as it did last fall
Tags:  Malware, China, nasdaqmsft, rootkit
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment