Image: Microsoft

Microsoft has confirmed that it recently signed off on a malicious driver that was being distributed within gaming environments. Dubbed “Netfilter” and initially documented by G DATA malware analyst Karsten Hahn, the malicious driver is a rootkit that raised serious suspicions after it was found communicating with Chinese command-and-control (C2) IPs. Microsoft has clarified that there is no evidence of stolen code-signing certificates being used by the malicious actors, but it still isn’t clear what the company meant by “gaming environments.” All Microsoft has said is that the activity is “limited to the gaming sector specifically in China”; no specific platforms or services are named in its blog post.

Image: G DATA

The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.

Sources: Microsoft, Bleeping Computer, G DATA

Don’t Miss Out on More FPS Review Content!

Our weekly newsletter includes a recap of our reviews and a run down of the most popular tech news that we published.

Join the Conversation

5 Comments

  1. This just goes to show that driver signing is meaningless, they literally do nothing not even look at it.

  2. [QUOTE=”MadMummy76, post: 36901, member: 1298″]
    This just goes to show that driver signing is meaningless, they literally do nothing not even look at it.
    [/QUOTE]
    I would say – it does shift the liability to Microsoft when crap like this happens.

    And for the most part, it does keep random “drivers” out there from being used – it still needs a certificate so it still has to go through some process, as opposed to just being thrown out there on a random download link (or worse, drive-by installed from a bad web page).

  3. [QUOTE=”Brian_B, post: 36936, member: 96″]
    I would say – it does shift the liability to Microsoft when crap like this happens.
    [/QUOTE]
    I’m pretty sure there is a clause in their driver signing contract that they are not liable for any damages caused by the driver.
    Yeah, they might loose a bit of face, but that’s really meaningless while they are a monopoly.

    [QUOTE]
    And for the most part, it does keep random “drivers” out there from being used – it still needs a certificate so it still has to go through some process, as opposed to just being thrown out there on a random download link (or worse, drive-by installed from a bad web page).
    [/QUOTE]
    Well this proves that it doesn’t keep random drivers from being used. It seems that their “certificate” process is to literally slap the certificate on it. Much like the paid 80+ certifications for PSUs.

    I was always of the mind that their signing was more of a hinderance than actual quality added to drivers.

Leave a comment