A group of cybersecurity researchers at Bitdefender uncovered another rootkit that managed to get through Microsoft’s Windows Hardware Quality Labs (WHQL) signing process.
The FiveSys rootkit is the second rootkit that Bitdefender’s researchers ran into, which managed to bypass Microsoft’s driver certification process. However, the researchers are confident that FiveSys and its predecessor, Netfilter, are not isolated incidents. It may, instead, be a new trend of malware that is abusing the WHQL signatures.
According to Bitdefender, many documented rootkit cases in the past relied “on stolen digital certificates from legitimate companies, so up until recently malware writers used stolen digital certificates to sign their drivers.”
The new FiveSys is designed to target online games in an attempt to steal credentials and hijack in-game purchases.
And while digital signatures can make life easier, they can also be misused. Bitdefender, which has two decades of experience in the field of cybersecurity, says Microsoft’s new driver signing requirement is to blame because it helps attackers hide their identity.
“This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer,” Bitdefender explained.
Windows is no longer accepting drivers which weren’t digitally signed by the company itself. It moved the responsibility away from the original developer of the driver, and it allowed them a new level of anonymity. Bitdefender’s researchers argue that the new digital signature requirement is facilitating the emergence of more rootkits. However, it is yet to be understood how these developers obtained legitimate certificates to cover up their illegitimate work.
The researchers also immediately contacted Microsoft and warned them about the problematic driver. In response, Microsoft had revoked the digital signature.