Microsoft recently admitted to signing a driver distributed within gaming environments that turned out to be a malicious network filter rootkit. The driver, called “Netfilter,” talks to Command and Control (C2) IP addresses that point to China and aims to spoof gamers’ geo-locations to cheat the system and play from anywhere, Microsoft said. The code signature allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps.
Mistakes in code-signing allow supply chain attacks to flourish
Before we talk more about how the Microsoft rootkit fiasco, let’s look at how this sort of attack can happen. A rootkit is a type of malware designed to give hackers access to and control a target device. Although most rootkits affect the software and the operating system, some can also infect the computer’s hardware and firmware. Rootkits are adept at concealing their presence, but while they remain hidden, they are active.
On the other hand, digital certificates allow their owners to cryptographically link ownership to a public key for authentication purposes. They are used by threat actors to escape detection as they fool users into downloading malware because it appears legitimate to their systems. For example, in the SolarWinds attack the component that contained the malware was code-signed with the appropriate SolarWinds certificate. The signature made the DLL look like a legitimate component for SolarWinds’ Orion product, and from there, it was bundled into a “patch” and distributed across thousands of customers.
How the story unfolded
On June 17, 2021, Karsten Hahn, a malware analyst at G DATA noticed the rootkit, publicly posting the find and simultaneously reaching out to Microsoft. Hahn noted that the code—a third-party driver for Windows named Netfilter that has been circulating in the gaming community—connected to an IP address in China.
As Hahn detailed in an blog, “[O]ur alert system notified us of a possible false positive because we detected a driver named "Netfilter" that was signed by Microsoft.” But there was nothing wrong with the telemetry. “In this case the detection was a true positive, so we forwarded our findings to Microsoft.”
“What started as a false positive alert for a Microsoft signed file turns out to be a WFP [Windows Filtering Platform] application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?” wrote Hahn. “The core functionality seems to be eavesdropping on SSL connections,” reverse engineer Johann Aydinbas wrote on Twitter. “In addition to the IP redirecting component, it also installs (and protects) a root certificate to the registry.”
Figure 1: Rootkit Malware Signature. Source: ThreatPost
Microsoft confirmed the incident, saying that it had launched an internal investigation, added the malware signatures to Windows Defender, and shared the signatures with security companies.
“Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware,” wrote Microsoft.
The post said that Microsoft has found no evidence that either its signing certificate for the Windows Hardware Compatibility Program (WHCP) or its WHCP signing infrastructure had been compromised.
Microsoft added that “The actor’s activity is limited to the gaming sector, specifically in China, and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.”
Protection of code signing keys is essential
Code signing keys and certificates are crucial security assets, but unfortunately, organizations are not taking the appropriate steps to protect them. According to a recent Venafi survey, although respondents understand the risks of code signing, they are not taking proper steps to protect this type of machine identities.
The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If the key is compromised, trust is broken and software that appears as legitimate might be disguised malware. Organizations should establish control measures to protect code signing keys, such as the ones outlined in the NIST whitepaper “Security Considerations for Code Signing.”
“The only way to protect themselves and their customers is for organizations to have a clear understanding about when code signing is allowed, where it is being used and insight into the integrations between code signing and development build systems,” says Kevin Bocek.
Venafi CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities. Learn how by speaking to one of our experts.