Cybercriminals have manipulated a Microsoft security mechanism to bypass Windows security controls, security researchers have said in publishing details of malware that has targeted gamers with credential theft for more than a year.
Named FiveSys by the Bitdefender researchers that discovered it, the new rootkit – malicious software designed to give cybercriminals ‘root’ access with unlimited control of a targeted computer – quietly redirects traffic to specific Internet addresses related to online gaming, allowing them to monitor the activities of targeted users.
The code successfully masked its true functionality well enough that it went undetected by Microsoft’s Windows Hardware Quality Lab (WHQL) quality-assurance process, which requires product developers to test device drivers for compatibility using the Windows Hardware Lab Kit (HLK).
Logs from this testing are then submitted to Microsoft’s Windows Quality Online Services (WQOS), which confirms the software is suitable for use on Windows.
WQOS creates a unique digital signature that enables certified drivers to be installed on a Windows computer using the official Windows Update program – which lends a degree of confidence for end users.
“Digital signatures are a way of establishing trust,” an analysis by Bitdefender’s DracoTeam says, noting that the issuing of a valid certificate “helps the attacker navigate around the operating system’s restrictions on loading third-party modules.”
“Once loaded, the rootkit allows its creators to gain virtually unlimited privileges”.
The use of fraudulently acquired digital signatures isn’t new, but previous attacks usually relied on cybercriminals stealing a third party’s digital certificate and attaching it to their own code to slip under the operating system’s security radar.
Because digital certificates are tied to their original owner, whose details are displayed when the software is being installed, malware signed in this way would be an obvious fake if scrutinised.
However, when FiveSys was being installed, Windows would tell end users that the application was signed by Microsoft – seeming for all intents and purposes to be…