Microsoft explains conducting the investigation after the discovery of a Chinese spyware officially signed for Windows 10. The malware perpetrators would have simply complied with the official signing process – which normally involves checks from Microsoft, pointing to possible weaknesses in the security of the Windows signature system.
Microsoft admits to mistakenly signing a software that turns out to be a malware-spy controlled by actors based in China. The malware in question was hidden in a driver named “NetFilter”. It is a rootkit that constantly communicates with its sponsors, without offering any functionality that is really useful to users.
The existence of this amazing signed malware was spotted last week. Since Windows Vista, Microsoft forces publishers to sign their drivers and other programs. Signature conditions their default installation on the system. Usually malware with a signature is signed using stolen certificates or other similar methods.
MALWARE SIGNED BY MICROSOFT: ITS AUTHORS ONLY HAD TO ASK KINDLY
Legitimate actors, on the other hand, can submit to Microsoft’s internal evaluation process, which normally implies that their program will be analyzed before the firm signs it. By admitting to having officially signed the program, Microsoft shows flaws in its verification protocols.
Malicious actors only had to use the normal validation process used by legitimate third-party publishers. Microsoft said in a press release: “Microsoft is investigating a malicious actor who has distributed malicious drivers in gaming environments. The actor submitted the drivers for certification through the Windows Hardware Compatibility Program”.
And the firm goes on to say, “We have suspended the account and are reviewing their past requests for additional signs of malware”. Microsoft asserts that the malware in question was mainly targeting machines in the gaming sector based in China.
This type of abuse highlights flaws in the way Microsoft checks source code before signing software. We certainly hope that the firm will take steps to ensure that this type of incident does not happen again.