Microsoft is still digitally signing malware

Sometimes when breaking into a secure facility, it is easier to enter through the front door than going over the wall. Hackers are increasingly finding this to be true when it comes to getting malware onto Windows.

Earlier this year a malware called “Netfilter” was signed by Microsoft’s hardware labs, allowing it to bypass Windows’s built-in defences. The Netfilter rootkit was a malicious kernel driver which was being distributed with Chinese games and which communicates with Chinese Command and Control servers.

It appears the company defeated Microsoft’s security simply by following normal procedures, and submitting the driver as any normal company would.

Bitdefender security researchers have now identified a new Microsoft-signed rootkit, named FiveSys, that has also been digitally signed by Microsoft’s  Windows Hardware Quality Labs (WHQL) and is being distributed to Windows users in wild, particularly in China.

The purpose of the FiveSys rootkit is to redirect the internet traffic in the infected machines through a custom proxy, which is drawn from a built-in list of 300 domains. The redirection works for both HTTP and HTTPS; the rootkit installs a custom root certificate for HTTPS redirection to work. In this way, the browser doesn’t warn of the unknown identity of the proxy server.

The rootkit also uses various strategies to protect itself, like blocking the ability to edit the registry and stopping the installation of other rootkits and malware from different groups.

Bitdefender contacted Microsoft who revoked the signature shortly after, but who knows how many other trojan horses are in the wild.

via Neowin