Microsoft signed a driver full of rootkit malware

Microsoft has admitted to having signed a malicious driver that is distributed in gaming environments.

Microsoft usually tests the drivers before assigning them a digital certificate, which authorizes them to be installed by default. A driver named Netfilter, which redirects traffic to an IP in China and installs a root certificate to the registry, has managed to get through that testing process without being detected as malware, specifically a rootkit.


A malware analyst at G Data, Karsten Hahn, has found the malicious driver and informed Microsoft, who stated that they promptly added malware signatures to Windows Defender and also added that they are conducting an internal investigation. Microsoft has also suspended the account that submitted the driver, and they are currently reviewing their previous submissions.

Microsoft’s Security Response Center team characterized the activity of the malware as limited to the gaming sector specifically in China and then explained the goal. According to them, the purpose of the threat actor is to use the driver to falsify their geo-location to cheat the system and play anywhere. The malware gives them an advantage in games and possibly exploits other players by compromising their accounts through common tools like keyloggers.

Microsoft stated that users will get clean drivers through Windows Update. Windows users are advised to follow best security practices and implement antivirus software such as Windows Defender.


Give a Comment