Microsoft Put Gamers At Risk By Signing Malware Laced Drivers

Driver software require authentication from Microsoft, so that Windows machines know that they can be trusted.

W

Microsoft has inadvertently put gamers at risk. According to security researcher Karsten Hahn, the company signed driver software that was laced with malware. Microsoft confirmed the mistake and said that the malware was sending data to Chinese servers and targeted gamers. The software, called Netfilter, contained a rootkit but somehow escaped Microsoft’s security teams during the certification process, allowing it to act as an official software that Windows users can trust. The company said it is working with the third-party manufacturer to patch the issue and will be delivering the patch to affected users soon, though it didn’t say how many users were affected.

“The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware,” the company said in a blog post

The Windows Hardware Compatibility Program (WHCP) is designed to authenticate driver software that is made by third parties. Since Windows has to work with numerous hardware devices, manufacturers have to create drivers for the OS to interact with the hardware. And since such interaction requires access to internal layers in Windows, malware built into such a tool can have serious consequences.

Rootkits in general are designed to be invasive. They allow the attacker unprecedented and unauthorized access to a user’s device. According to Microsoft, the malware enables attackers to “gain an advantage in games” and possibly exploit other players by “compromising their accounts through common tools like keyloggers”. Which sounds a lot like malware that is designed to steal gamers’ in-game items and fudge results.

“It’s important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf,” the company said in its post.

Microsoft also confirmed that its WHCP infrastructure hasn’t been compromised, but the company will be taking a closer look at it anyway.

Thanks for reading till the end of this article. For more such informative and exclusive tech content, like our Facebook page