Security Week 26: Rootkit with a legitimate digital signature

Last week, a team of security researchers studied a rootkit known as Netfilter. For the first time discovered a specialist from G Data, the malicious code has traditional functionality: it accesses a server located in China, transmits information about the computer, downloads updates for itself. The difference from many other similar programs is that Netfilter has a legitimate Microsoft digital signature.

Microsoft released Attack bulletin with additional information. The rootkit is part of an attack on gamers, and this campaign is most likely targeted at users in China. The creators of Netfilter were aimed at hacking other users’ accounts and it seems they have built this rather complicated scheme to gain an advantage in the gaming environment. The vendor commented on the driver signature as well. There is no talk of hacking Microsoft’s infrastructure, the rootkit went through the standard certificate issuance procedure, and no malicious functions were found during the check.

All modern versions of Windows, by default, cannot run code with kernel privileges without a Microsoft digital signature. Accordingly, the level of trust in the signed code is quite high: the integrity of the OS depends on the quality of the code verification when issuing a certificate by the vendor. Incidents like Netfilter are rare, and previously only certificate theft has been reported. For example, the Stuxnet attack used drivers signed stolen Realtek and JMicron certificates.

What else happened

Event of the week: forced deletion of all data from NAS WD My Book Live, presumably as a result of malicious activity (see also the discussion on Habré). In a company statement specifiedthat a malicious script exploited an arbitrary code execution vulnerability. Which one is not specified, but the media cite a serious problem as an example, discovered in 2018. The no longer supported NAS received the last update in 2015.

In the Dell laptop update engine discovered vulnerability. Incorrect certificate handling makes a man-in-the-middle attack possible: Researchers have shown how to redirect a user to a dummy server and “distribute” a malicious BIOS update from it.

The Dovecot mail server was closed vulnerability, allowing to be embedded in the exchange of data between the server and the client.

At Check Point Research found Serious (but not exploited) vulnerabilities in Atlassian Jira and Confluence, theoretically making it easy to gain control of an account.

Leaked Sony PlayStation 3 hardware ID base led to random bans of users of Sony online services. It is likely that malicious activity that uses directory IDs ends up blocking the unsuspecting account owner.