Microsoft received reports from Sophos, Trend Micro and CISCO about malware infections in signed drivers. The researchers found that drivers “certified by Microsoft’s Windows Hardware Developer Program were being exploited maliciously in post-exploitation activity”.
A driver is a software component that enables communication between the operating system and hardware devices, such as printers or mice. Drivers can also be exploited by attackers to perform malicious actions, such as stealing credentials or bypassing anti-cheat mechanisms. Microsoft has a process that verifies drivers to ensure they are safe and legitimate. However, malicious drivers managed to evade this process and obtained Microsoft’s signature.
These drivers got past Microsoft’s approval program because it was signed by a third-party company that had a valid code-signing certificate. This certificate allowed the company to submit drivers to Microsoft for signing through the Windows Hardware Compatibility Program. Any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default. That’s why attackers sometimes attempt to compromise the WHCP signing certificate. It’s much easier to distribute malware that appears to have been signed by Microsoft. In this case, however, Microsoft said the Netfilter driver was legitimately signed as part of the WHCP. Microsoft trusted the company and did not check the driver for malware. The company may have been hacked or tricked by the attackers who wanted to use the driver for cheating and spying. Microsoft later found out about the problem and revoked the driver’s signature.