Microsoft signed a driver loaded with rootkit malware

by Joseph K. Clark

Operating system creators offer code signing to help you steer clear of malicious software, but Microsoft may have inadvertently broken the trust that signing is meant to create. BleepingComputer says Microsoft has confirmed that it signed Netfilter, a third-party driver for Windows containing rootkit malware that circulated in the gaming community. As security researcher Karsten Hahn found days earlier, it passed through the Windows Hardware Compatibility Program (WHCP) despite connecting to malware command and control servers in China.

It’s unclear how the rootkit made it through Microsoft’s certificate signing process. However, the company said it was investigating what happened and would be “refining” the signing process, partner access policies, and validation. There’s no evidence the malware writers stole certificates, and Microsoft didn’t believe this was the work of state-sponsored hackers.


The driver maker, Ningbo Zhuo Zhi Innovation Network Technology, worked with Microsoft to study and patch any known security holes, including affected hardware. Users will get clean drivers through Windows Update.

Microsoft said the rogue driver had a limited impact. It was aimed at gamers and isn’t known to have compromised enterprise users. Also, the rootkit only works “post-exploitation,” according to Microsoft — you need to have already obtained administrator-level access on a PC to install the driver. Netfilter shouldn’t pose a threat unless you go out of your way to load it, in other words.

Even so, the incident isn’t entirely comforting. Many people see a signed driver as confirming that a driver or program is safe. Those users might be hesitant to install new drivers in a timely fashion if they’re worried there might be malware, even if those drivers come straight from the manufacturer.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Related Posts

Leave a Comment