Nice: Microsoft signierte signed network filter driver acting as a rootkit from China

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers have come across a Microsoft digitally signed WFP Application Layer Enforcement Callout Driver, which turned out to be a network filter rootkit. The driver automatically established connections to an IP address used by a server in China. Here is some information about this strange case.

I became aware of the case via the following tweet from Kevin Beaumont, which is documented at GData in this blog post.

Network-Filter-Rootkit

Looking at the details from Virustotal, it is a network filter that carries a valid signature and has been signed by Microsoft, but is a rootkit, which phones to China.

Rootkit-Signatur

On Twitter, Beaumont posted more details about the driver. But the more interesting thing is the GData blog post here. In mid-June 2021, the GDATA alert system struck, informing their analysis of a possible false positive. Discovered was a driver that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode must be tested and signed before public release to ensure the stability of the operating system. Drivers without a Microsoft certificate cannot be installed by default.

It was not a false positive alarm

In this case, the detection of the digitally signed driver as malware was a positive hit. The signed driver was dropped by a dropper under the following path.

%APPDATA%\netfilter.sys

Then another file:

%TEMP%\c.xalm

which then executed a command to enter and register the driver in the registry. GData then describes that the Netfilter driver accesses the rookit's server to retrieve updated binaries as well as configuration information. According to WHOIS, it belongs to Ningbo Zhuo Zhi Innovation Network Technology Co, Ltd, a company listed by the US Department of Defense as a communist Chinese military company.

The details can be found in the GDATA blog post. Anyway, the Chinese managed to get Microsoft to sign the driver. After GData forwarded these findings to Microsoft, Redmond immediately added malware signatures to Windows Defender. At the same time, an internal investigation was started to clarify how this digital signing could happen. So far, however, no result is known. 

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *