Microsoft have signed multiple rootkits

by bobcostas55 on 6/20/2021, 9:57 AM with 25 comments
  • by dogma1138 on 6/20/2021, 11:43 AM

    Looks like a signed driver, it’s not particularly hard to turn any driver into a rootkit especially a networking one.

    If you manage to say install npcap on a machine which is also signed these days you can pretty much capture the entire network traffic and send it w/e you want… heck both the capturing and the “sending” can be done from within the npcap driver itself since it can both capture and send packages the logic however needs to reside somewhere else.

    The biggest issue here looks to be that MSFT changed their signing protocols.

    > In the past, Microsoft only signed the .cat file. Starting with Windows 10, Microsoft now signs all of the portable executables in the returned payload. For example, the .dll file is also signed by Microsoft.

    https://docs.microsoft.com/en-us/windows-hardware/drivers/da...

    They used to sign only CAT files now they’ll sign pretty much anything that was submitted, I’m guessing their review process can’t actually validate what these things do other than they meet the compatibility requirements.

    So what they do is that they base their process on “validating” the partner which these days with 100,000 hardware vendors especially in China is pretty darn hard, and even if the process is quite strict it still leaves them open to supply chain attacks.

    While it might look bad it’s still better than the alternative, if getting your driver signed would be too hard then it would be the same as the early Windows 7 days during which even relatively large and reputable hardware vendors asked you to disabled driver the mandatory driver signature checks because they were too slow in getting their software signed.

    Also note that this doesn’t impact other signing protection such as smart screen for that Microsoft has a much stricter process however I’m also guessing it would quite possible to sneak something past that too since plenty of small even one man shop commercial software managed to get through the red tape for that.

  • by cryptica on 6/20/2021, 1:24 PM

    The real purpose of all these so-called 'security measures' which many Operating System software companies have implemented (e.g. dev licences, requiring programs to be signed) is to restrict users' ability to use software written by third party entities in favor of software designed by the OS's parent company. The irony is that these big corporations have become some of the least trustworthy entities on the planet - They have become hotbeds for hackers, white collar criminals and psychopaths. Any random software you can download online is more likely to be trustworthy than a signed software developed by big tech. With big tech, the chance of software being malware (e.g. spying on you) is almost 100%.

  • by mikewarot on 6/20/2021, 10:07 AM

    With the offensive posture of the NSA, I would be highly surprised if this weren't true. They can be compelled to do anything, and compelled to keep it secret.

  • by falcolas on 6/20/2021, 3:18 PM

    Of course they do. They regularly sign anti-cheat programs which are rootkits, so it’s not even an uncommon occurrance. Being a rootkit is insufficient to flag a program as malicious.

  • by est31 on 6/20/2021, 1:04 PM

    I wonder what would happen if Microsoft required drivers to be redistributable at least by Microsoft and hosted them on a server for download by independent researchers, similar to how fwupd is doing it. Then the researchers could find ways to identify malware and point it out to Microsoft. As a bonus it might make the life of fwupd easier too.

  • by _kbh_ on 6/20/2021, 11:12 AM

    Less likely Microsoft has signed multiple rootkits and more likely that someone has either stolen the certificate, they have someone at Microsoft signing the malware for them or they have found a vulnerability in the signing process imo.

  • by mapgrep on 6/20/2021, 3:46 PM

    I’m sure Apple has/will do similar. Isn’t the point of the cert not so much to vet the recipient but to create cost (including nonmonetary) to attain the cert and then have the ability to rapidly revoke the cert and nullify the malware installed base?

    Even if Microsoft makes some pretense of vetting, no one can ever perfectly weed out malware authors in advance, as that would require knowledge of their future thoughts and motivations (hard enough to assess those in the present).

    (If Microsoft has failed to revoke certs for known rootkits, by all means bash them hard for that.)

  • by jnxx on 6/21/2021, 3:17 PM

    By the way, this is the equivalent of smuggling malicious source code into the Linux kernel. Look what worked better, security-wise.

  • by Gamermeme on 6/20/2021, 1:40 PM
  • by mychannel on 6/20/2021, 1:42 PM