Microsoft has signed a driver loaded with rootkit malware

Operating system creators offer code signing to help keep you away from hostile software, but Microsoft may have inadvertently broken the trust the firm is destined to create. BleepingComputer he says Microsoft has confirmed which signed Netfilter, a third-party driver for Windows that contained rootkit malware circulating in the gaming community. He went through the Windows Hardware Compatibility Program (WHCP) despite connecting to malware command and control servers in China, as security researcher Karsten Hahn found days before.

It’s unclear how the rootkit went through Microsoft’s certificate signing process, although the company said it was investigating what happened and that it would “refine” the signing process, partner access policies and validation. There is no evidence that malware writers have stolen certificates, and Microsoft does not believe this is the work of state-sponsored hackers.

The driver manufacturer, Ningbo Zhuo Zhi Innovation Network Technology, was working with Microsoft to study and repair any known security holes, even for the affected hardware. Users will get clean drivers for Windows Update.

Microsoft said the rogue driver had a limited impact. It was intended for gamers, and is not known to have compromised the company’s users. Also, the rootkit only works “post-exploit,” according to Microsoft – you’ll need to already get administrator-level access on a PC to install the driver. Netfilter shouldn’t pose a threat unless it gets out of your way to load it, in other words.

Even so, the incident is not entirely comforting. Many people see a signed driver as confirming that a driver or program is safe. Those users may be hesitant to install new drivers at once, if they are worried that there may be malware, even if they drive directly from the manufacturer.