Rootkit Malware Found in Signed Windows Driver

Microsoft assures the compromised Netfilter driver had a limited impact

Microsoft has stated that a driver certified by the Windows Hardware Compatibility Program (WHCP) was found to contain rootkit malware, but says the certificate infrastructure was not compromised.

In a statement posted in Microsoft's Security Response Center, the company confirms it discovered the compromised driver and has suspended the account that originally submitted it. As pointed out by Bleeping Computer, this incident was likely caused by a weakness in the code-signing process, itself.

Microsoft logo

Chesnot / Getty Images

Microsoft also says that it has seen no evidence that the WHCP signing certificate was compromised, so it's unlikely that someone was able to fake certification.

A rootkit is designed to mask its presence, making it difficult to detect even while it's running. Malware hidden inside a rootkit can be used to steal data, alter reports, take control of the infected system, and so on.

According to Microsoft, the driver's malware seems intended for use with online gaming and can spoof the user's geolocation to allow them to play from anywhere. It may also let them compromise other players' accounts by using keyloggers.

According to the Security Response Center report, "The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments." It also states that the driver must be manually installed to be effective.

Notification warning email on a laptop, the computer screen showing malware or virus alerts

Sompong Lekhawattana / Getty Images

Unless a system has already been compromised and granting admin access to an attacker, or the user themselves does it on purpose, there is no real risk.

Microsoft also says that the driver and its associated files will be detected and blocked by MS Defender for Endpoint. If you think you may have downloaded or installed this driver, you can check "Indicators of Compromise" in the Security Response Center report.

Was this page helpful?