Microsoft Admits It Signed Rootkit Malware That Phones Home To Chinese Military


Ever since the introduction of Windows Vista in early 2007, Microsoft has enforced the rule that Windows drivers must carry digital signatures by default. Any software that runs in kernel mode, in fact, has to be signed by the company. This is a security measure that should prevent malicious software from digging its claws in too deep. However, what happens when Microsoft gives its blessing to a rootkit?

That's what happened a few months ago and was just now discovered thanks to G DATA Software security analyst Karsten Hahn. Initially, the company received a false-positive alert from a driver that was signed by Microsoft. After a lot of investigation into the matter, it turns out that the positive was valid. A driver signed by Microsoft was redirecting traffic bound for hundreds of IP addresses to a server in China. 

The WHOIS record for the IP address in question belongs to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. According to the United States Department of Defense, the company is a front for the Chinese military. The rogue server is still active, and currently sends back a string of URLs, which is then parsed by the driver. Those addresses all serve different parts of the driver returning configuration information. One points to a text file which contains the list of IP addresses that should be redirected and where to redirect them. 


Windows Defender signatures now look for this rootkit, which is apparently still under active use. HotHardware has visited the URLs used by the rootkit and we can confirm that they're all still active. Users apparently had no indication that they'd been redirected, so it seems the purpose of intercepting traffic was for information theft. That's par for the course, but the digital signature is a new and very dangerous wrinkle. 

The question remains open, though: how did a rootkit make it through Microsoft's digital signature process? That's the subject that the company is actively investigating internally. The last time the company had a digital signature issue, certificates belonging to Realtek were stolen as part of Stuxnet. Hahn's G DATA blog post only indicates that Microsoft didn't know how this happened. 

In a statement to Bleeping Computer, the Microsoft elaborated, saying that unlike past signature snafus, this one didn't involve stolen certificates: 

Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware.

Microsoft's statement says that most of the targeted systems were gaming cafes in China, but the company has not yet blamed state actors, as it did last fall