Security Week 26: Rootkit with a legitimate digital signature

Last week, a team of security researchers studied a rootkit known as Netfilter. First discovered by a G Data specialist, the malicious code has traditional functionality: it accesses a server located in China, transmits information about the computer, and downloads updates for itself. The difference from many other similar programs is that Netfilter has a legitimate Microsoft digital signature.







Microsoft released an attack bulletin with additional information. The rootkit is part of an attack on gamers, and this campaign is most likely targeted at users in China. The creators of Netfilter were aimed at hacking other users' accounts and it seems they have built this rather complicated scheme to gain an advantage in the gaming environment. The vendor commented on the driver signature as well. There is no talk of hacking Microsoft's infrastructure, the rootkit went through the standard procedure for issuing a certificate, and no malicious functions were found during the check.



All modern versions of Windows, by default, cannot run code with kernel privileges without a Microsoft digital signature. Accordingly, the level of trust in the signed code is quite high: the integrity of the OS depends on the quality of the code verification when issuing a certificate by the vendor. Incidents like Netfilter are rare, and previously only certificate theft has been reported. For example, the Stuxnet attack used drivers signed with stolen Realtek and JMicron certificates.

What else happened

Event of the week: forced deletion of all data from the WD My Book Live NAS, presumably as a result of malicious activity (see also the discussion on Habré). The company said in a statement that the malicious script exploited an arbitrary code execution vulnerability. Which one is not specified, but the media cite as an example a serious problem discovered in 2018. The no longer supported NAS received the last update in 2015.



Dell laptop update mechanism foundvulnerability. Incorrect certificate handling makes a man-in-the-middle attack possible: Researchers have shown how to redirect a user to a dummy server and "distribute" a malicious BIOS update from it.



A vulnerability has been closed in the Dovecot mail server that allows it to be introduced into the exchange of data between the server and the client.



Check Point Research found serious (but not exploited) vulnerabilities in Atlassian Jira and Confluence, theoretically making it easy to gain control over an account.



Sony PlayStation 3 hardware ID base leakedto random bans of users of Sony online services. It is likely that malicious activity that uses directory IDs ends up blocking the unsuspecting account owner.