Romania-based cyber security company BitDefender researchers found a Microsoft-signed rootkit that targets Chinese internet users and gamers, redirecting them to malicious sites with special proxy servers.


The interesting thing about this rootkit, called , was that it was signed by Microsoft. Published by researchers in short report It was underlined that digital signatures are an easy way to establish trust in software, and thus the rootkit can successfully overcome signature constraints to be successfully installed in the kernel. After the kernel driver is installed on the system, those who developed the malware can act on the system with unlimited privileges.

Rootkidollarser is often used by threat actors to act with elevated privileges on the system and evade the operating system itself and security software. The main purpose is to provide long-term permanence.

FiveSys uses this persistence to redirect affected systems to malicious addresses using a special proxy server for HTTP and HTTPS connections. Also, depending on the attackers, the system itself can be used as a proxy, all of which are possible.

This Microsoft

by WHQL (Windows Hardware Quality Labs)

Second instance of rootkit signed by abusing process . What we reported earlier Netfilter was also signed in this way and exceeded driver signature protection on the systems it targeted. Unless Microsoft does the necessary controls in the digital signing process, we seem to see this type of damage more.

Like it? Share with your friends!

Michael Lewis


Your email address will not be published. Required fields are marked *