Posted On 27 Jul 2021

Cybersecurity experts have revealed that a malicious driver has been discovered (originally thought to be a false positive) that was officially signed by Microsoft. This driver, called Netfilter, has been shown to be a rootkit redirecting traffic towards command and control (C & C) servers in China.

Experts were alerted to a potential false positive last week with Netfilter, as it was signed by Microsoft, but then found the alert was a true positive; Microsoft have been informed of the discovery and were swift to add malware signatures to Windows Defender. The company is currently undertaking internal investigations into how the driver was signed.

Experts explained that since Windows Vista was launched, any code running within the kernel space must undergo testing and signing from Microsoft, i.e., if a driver is not signed by Microsoft, it’s impossible to install. The Netfilter driver showed up as a red flag as it appears not to be performing any legitimate functions and by establishing communication with the Chinese servers it was exhibiting suspicious behavior patterns.

Industry insiders have asserted that Microsoft hasn’t been able to find any evidence that code-signing certificates were stolen to sign the driver, raising the concerning possibility that it was legitimately signed off by Microsoft’s procedures. If this is the case, many will be asking how many other seemingly legitimate but in fact malicious drivers have been signed off by Microsoft and are currently in circulation.