Microsoft signed a malicious Netfilter rootkit


Level 62
Thread author
Top poster
Content Creator
Apr 24, 2016
From Karsten Hahn @struppigel :
What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?

Last week our alert system notified us of a possible false positive because we detected a driver[1] that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default.

In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.

Vitali Ortzi

Level 22
Top poster
Dec 12, 2016
Then Can we expect other malware with ms signature?
Probably as Microsoft signs a lot of hardware vendors drivers over in China
Won’t be surprised if they mistakenly sign a malicious one

That was fast that you posted this :D
Waiting for more information you and your friends could gather about this SSIRP Girard malware or whatever it’s called

Anyway any update from Microsoft land ?
Or are they too busy copycating Mac OS for windows 11 lol


Level 12
Top poster
Aug 2, 2020
Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.

This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.

G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft.

It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense.

This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.