Cybercriminals have manipulated a Microsoft security mechanism to bypass Windows security controls, security researchers have said in publishing details of malware that has targeted gamers with credential theft for more than a year.
Named FiveSys by the Bitdefender researchers that discovered it, the new rootkit – malicious software designed to give cybercriminals ‘root’ access with unlimited control of a targeted computer – quietly redirects traffic to specific Internet addresses related to online gaming, allowing them to monitor the activities of targeted users.
The code successfully masked its true functionality well enough that it went undetected by Microsoft’s Windows Hardware Quality Lab (WHQL) quality-assurance process, which requires product developers to test device drivers for compatibility using the Windows Hardware Lab Kit (HLK).
Logs from this testing are then submitted to Microsoft’s Windows Quality Online Services (WQOS), which confirms the software is suitable for use on Windows.
WQOS creates a unique digital signature that enables certified drivers to be installed on a Windows computer using the official Windows Update program – which lends a degree of confidence for end users.
“Digital signatures are a way of establishing trust,” an analysis by Bitdefender’s DracoTeam says, noting that the issuing of a valid certificate “helps the attacker navigate around the operating system’s restrictions on loading third-party modules.”
“Once loaded, the rootkit allows its creators to gain virtually unlimited privileges”.
The use of fraudulently acquired digital signatures isn’t new, but previous attacks usually relied on cybercriminals stealing a third party’s digital certificate and attaching it to their own code to slip under the operating system’s security radar.
Because digital certificates are tied to their original owner, whose details are displayed when the software is being installed, malware signed in this way would be an obvious fake if scrutinised.
However, when FiveSys was being installed, Windows would tell end users that the application was signed by Microsoft – seeming for all intents and purposes to be legitimate.
New Microsoft security policies prevent Windows from installing any device drivers that have not been signed through the company’s Dev Portal – but this could backfire, Bitdefender warned, because it “ensures that all drivers are validated and signed by the operating system vendor rather than the original developer.”
“As such,” it notes, “digital signatures offer no indication as to the identity of the real developer… The fact that they have digital signatures issued by Microsoft might trick unsuspecting users into believing they are legitimate drivers and accept their installation.”
Cat and mouse game
Successfully deceiving Microsoft’s software tests is no laughing matter, with another tool called Netfilter discovered by German security firm G Data in June and malware analyst Karsten Hahn noting that it was “still unknown how the driver could pass the signing process”.
Microsoft disables such software by revoking its digital certificate once it is discovered and reported; however, given the success of FiveSys – which is said to have been circulating among Chinese online gamers for a year – discovering the deception isn’t always easy or quick.
FiveSys’s authors “seem to originate from China and target several domestic games”, the analysis says, noting that its signatures had been detected at low volumes since last September but spiked in July.
Darkweb trading in stolen valid digital certificates drove high demand in malware authors’ circles, with one EU Agency for Cybersecurity (ENISA) warning owners of digital certificates to think of them as “high value assets” and protect them accordingly.
Yet each time operating-system vendors develop new protections, cybercriminals have continued to work around the new security mechanisms, sometimes bypassing multiple layers of security by exploiting esoteric vulnerabilities in the platforms.
“Even though, technically speaking, the malware families are not among the sophisticated ones,” Bitdefender noted, “the fact that they abuse digital signatures in this manner seriously undermines the credibility of this protection mechanism.”
New zero-day vulnerabilities are continually being discovered and patched in Microsoft’s ‘Patch Tuesday’ updates, while Apple rushed to patch macOS earlier this year after researchers discovered a way to circumvent its GateKeeper, file quarantine, and notarisation security mechanisms using malware disguised as a normal document file.
A day before its major September product launch, Apple also pushed out new versions of all four of its four operating systems to fix security issue such as a vulnerability caused by NSO Group’s Pegasus spyware, which could install malware on targets’ iPhones without any interaction.
