Skip to main content
banner image
venafi logo

Microsoft Signed Rootkit Malware That Spreads Through Gaming

Microsoft Signed Rootkit Malware That Spreads Through Gaming

July 7, 2021 | Anastasios Arampatzis

Microsoft recently admitted to signing a driver distributed within gaming environments that turned out to be a malicious network filter rootkit. The driver, called “Netfilter,” talks to Command and Control (C2) IP addresses that point to China and aims to spoof gamers’ geo-locations to cheat the system and play from anywhere, Microsoft said. The code signature allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps.

Mistakes in code-signing allow supply chain attacks to flourish

Before we talk more about how the Microsoft rootkit fiasco, let’s look at how this sort of attack can happen. A rootkit is a type of malware designed to give hackers access to and control a target device. Although most rootkits affect the software and the operating system, some can also infect the computer’s hardware and firmware. Rootkits are adept at concealing their presence, but while they remain hidden, they are active.

On the other hand, digital certificates allow their owners to cryptographically link ownership to a public key for authentication purposes. They are used by threat actors to escape detection as they fool users into downloading malware because it appears legitimate to their systems. For example, in the SolarWinds attack the component that contained the malware was code-signed with the appropriate SolarWinds certificate. The signature made the DLL look like a legitimate component for SolarWinds’ Orion product, and from there, it was bundled into a “patch” and distributed across thousands of customers.

How the story unfolded

On June 17, 2021, Karsten Hahn, a malware analyst at G DATA noticed the rootkit, publicly posting the find and simultaneously reaching out to Microsoft. Hahn noted that the code—a third-party driver for Windows named Netfilter that has been circulating in the gaming community—connected to an IP address in China.

As Hahn detailed in an blog, “[O]ur alert system notified us of a possible false positive because we detected a driver named "Netfilter" that was signed by Microsoft.” But there was nothing wrong with the telemetry. “In this case the detection was a true positive, so we forwarded our findings to Microsoft.”

“What started as a false positive alert for a Microsoft signed file turns out to be a WFP [Windows Filtering Platform] application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?” wrote Hahn. “The core functionality seems to be eavesdropping on SSL connections,” reverse engineer Johann Aydinbas wrote on Twitter. “In addition to the IP redirecting component, it also installs (and protects) a root certificate to the registry.”

Figure 1: Rootkit Malware Signature. Source: ThreatPost

Microsoft’s response

Microsoft confirmed the incident, saying that it had launched an internal investigation, added the malware signatures to Windows Defender, and shared the signatures with security companies.

“Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware,” wrote Microsoft.

The post said that Microsoft has found no evidence that either its signing certificate for the Windows Hardware Compatibility Program (WHCP) or its WHCP signing infrastructure had been compromised.

Microsoft added that “The actor’s activity is limited to the gaming sector, specifically in China, and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.”

Protection of code signing keys is essential

Code signing keys and certificates are crucial security assets, but unfortunately, organizations are not taking the appropriate steps to protect them. According to a recent Venafi survey, although respondents understand the risks of code signing, they are not taking proper steps to protect this type of machine identities.

The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If the key is compromised, trust is broken and software that appears as legitimate might be disguised malware. Organizations should establish control measures to protect code signing keys, such as the ones outlined in the NIST whitepaper “Security Considerations for Code Signing.”

“The only way to protect themselves and their customers is for organizations to have a clear understanding about when code signing is allowed, where it is being used and insight into the integrations between code signing and development build systems,” says Kevin Bocek.

Venafi CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities. Learn how by speaking to one of our experts.

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more