Bitdefender has observed higher incidences of rootkits with valid digital signatures issued by Microsoft. At the moment it is still aimed at online gamers. But other targets can also be profitable for the attacker.
The Bitdefender Labs experts have identified FiveSys, a new rootkit that uses its own valid digital signature issued by Microsoft instead of misusing stolen signatures. FiveSys allegedly attacks online gamers in order to steal digital identities and maliciously intervene in in-game purchases. By using a newly issued Microsoft signature, the hackers are pursuing an entirely new path. Until now, they used signatures stolen from other companies to declare their malware to be legitimate and credible. This new approach has been observed more intensely in recent months.
Microsoft certificates were valid
A supposedly real digital Microsoft certificate (Image: Bitdefender).
Bitdefender informed Microsoft of the misuse and provided the appropriate evidence, whereupon the software company recalled this signature after a short time.
Over the past few months, Bitdefender experts have intensified their observation of the spread of malicious drivers with valid digital signals issued as part of the Microsoft WHQL signature process. The activities observed for a year have their origins in China. They are currently limited to the country and to games available on the local market and pursue economic goals. The experts assume that different authors are behind these attacks. This is supported by the fact that the tools used share the same functionalities but are implemented differently. The main task of the rootkit is to redirect Internet traffic to a specially set up proxy server. To do this, the driver uses a local script for proxy auto-configuration for the browser.
Beware of digital signatures for malware
The experts assume that attackers will increasingly use digital Microsoft signatures to camouflage their malware in the future. One of the main reasons for this new tactic is likely to be the new specifications from Microsoft for signing drivers: These require a digital signature from Microsoft for all drivers before the operating system accepts them. This ensures that the driver software is validated and signed by the seller of the operating system. As a result, digital signatures no longer provide any information about the actual developer. An additional danger that arises from this: The Microsoft signatures for supposed drivers are likely to mislead many users into accepting the installation of malware with a falsely good repute.
Rootkit with a valid WHQL digital signature
Increased activity with forged certificates in recent months (Image: Bitdefender).
The activities of FiveSys or Netfilter, the first rootkit to be discovered with a valid digital WHQL signature, show that hackers have found a way to circumvent Microsoft's requirements for creating a certificate. Individual cases cannot be assumed. Rather, further malware will use specially issued digital signatures in the future.
Digital signatures, which are actually supposed to document the legitimacy of software and create trust, help attackers in this case to circumvent the restrictions for loading third-party modules into the kernel of the operating system. After successfully installing a rootkit, the malicious developers can enjoy virtually unlimited privileges.
Rootkit Risks
More than a decade ago, rootkits spearheaded cybercrime. These secret programs were developed to give attackers a permanent place on the victim's computers and to hide their activities from the operating system and from anti-malware solutions. The malware in the kernel of the operating system is apparently spreading again after it was last pushed back by the security mechanisms of Windows Vista.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de