Microsoft: In a note shared on the official blog, Microsoft confirmed that it accidentally certified a Windows driver that had built-in rootkit malware. The threat, which had gone through the Windows Hardware Compatibility Program (WHCP), is an old acquaintance in the gaming community and sells itself as a VPN, but ends up stealing data and sending it to a server in China.
The security flaw was identified by researchers at the German cybersecurity company G Data, which confirmed the error’s link to the third-party driver Netfilter. According to the company, this malware is able to exploit and stop the activity of keyloggers and other tools used to protect the user’s personal information.
In a statement, Microsoft stated that there was no evidence that the WHCP certificate had suffered any kind of exposure or that the infrastructure had been compromised. However, despite this, the situation is being investigated and the detection and blocking system of the driver in question, associated with Microsoft Defender, should provide the ideal conditions to prevent future infections as the new “refinement” policy.
Chinese manufacturer Ningbo Zhuo Zhi Innovation Network Technology, which ironically worked on other occasions with Microsoft to resolve security issues involving affected files and hardware, stressed that it will soon release an update for the drivers through Windows Update, now with improvements promised by Microsoft.
The impact and functioning of the rootkit
The malware’s activity was restricted to the gaming industry in China only — acting as a tool to take advantage of online gaming — and apparently did not actually affect corporate environments, working with users operating at administrator levels.
Supposedly, these hackers, who Microsoft believes are not part of government agencies, are endowed with administrative privileges and are able to break into the machine either after it starts up or by convincing the user to install the driver. So far, it remains unclear how Netfilter managed to circumvent WHCP and infect the operating system.