Sometimes the most efficient way to sneak into a site It is not digging a tunnel from the building next door, or looking for a little-used side door … but walk so gracefully through the main entrance. And cybercriminals seem to have taken notice of it.
And there is no malware as dangerous as that which can display some kind of legitimacy, because it is the kind of malware that will not set off antivirus alarms. And that is the case, precisely, of the new malicious driver ‘fiveSys’.
This is how the cybersecurity company Bitdefender describes the nature of fiveSys, which is not a driver, but a rootkit:
“The purpose of the rootkit is simple: it aims to redirect Internet traffic on infected machines through a custom proxy […] for both HTTP and HTTPS; the rootkit installs a custom root certificate so that HTTPS redirection can work. “
The software in question is also capable of block Windows Registry edits, and even prevent the installation of rival rootkits. But, what is the main entrance through which you have managed to enter to ensure that it does not activate the alarms of our systems?
‘Sgroogled.com’: When MICROSOFT Launched ANTI-GOOGLE Ads
Second time in four months something similar has happened
Pus, as recently discovered by Bitdefender cybersecurity researchers, said driver is signed with a certificate from Microsoft itself; specifically one of type WHQL (Windows Hardware Quality Labs) …
… which, in theory, the company should only provide after careful checking from the manufacturer-submitted driver packages associated with the Windows Hardware Compatibility Program or WHCP.
Up to now, the presence of fiveSys has only been detected among Chinese users, which probably indicates that your developers are only interested in that region.
Last June something very similar happened: another rootkit of Chinese origin – this one named ‘Netfilter’, whose command and control servers were also in Chinese territory – was validated by Microsoft as a legitimate driver.
In that case they were able to beat Microsoft’s security simply following normal procedures and shipping the controller as any normal company would, and everything indicates that, in this case, something similar has happened.
Upon notification from Bitdefender, Microsoft has already removed its signature from FiveSys, which will stop its spread, but will not help the computers on which it has already been installed.
Via | Bitdefender
Image | Ming-yen Hsu (via Flickr)