Unveiling the Dark Side: 133 Windows Drivers with Genuine Microsoft Signatures Infected by Malware
In response, Microsoft takes action by suspending the licenses of numerous developers.
Recent revelations have raised concerns among users who diligently update their Windows computers to maintain security. It has come to light that 133 drivers carrying official Microsoft signatures have caught malware. This issue is particularly alarming because the operating system automatically loads and installs these drivers without user intervention. This discovery highlights the need for enhanced scrutiny and vigilance regarding the sources and integrity of drivers, emphasizing the importance of implementing robust security measures to protect against such threats.
The discovery has raised significant concerns and sparked questions about how such a situation could occur. Microsoft, having been aware of the problem for some time, took action in response. The most recent monthly Windows update promptly blocked the affected drivers, locking the responsible developers' accounts. While these steps may mitigate the immediate risk, it is crucial to delve deeper into the root causes of this issue.
Table of Contents
How Malware Actors Stole Certificates
According to Microsoft, the drivers that contained malware had valid signatures, which granted them administrator rights on the affected systems. That meant the malicious actors behind the drivers could potentially access and monitor compromised systems without detection. The drivers in question were sourced from various Microsoft partners, and due to the discovery, the associated developer accounts have since been suspended.
Further investigation revealed that somebody obtained the developer certificates to sign these malware-infected drivers illegally. The software manufacturers responsible for these drivers had their certificates stolen and sold online. These stolen certificates allowed the malware to bypass security measures and appear legitimate, as they carried a valid signature from the compromised developers.
How To Deal With Malicious Drivers
Since March 2023, Windows has implemented its detection capabilities to identify malicious drivers, providing users with an added layer of security. To ensure the best protection against these threats, Microsoft strongly advises users to regularly update Windows Defender, their built-in antivirus solution, and apply all available Windows updates. These updates often include critical security patches and enhancements that can help safeguard against various types of malware, including malicious drivers.
Microsoft recommends performing an offline scan of the system to address the possibility of previously installed malicious drivers before March 2, 2023. This offline scan can help identify potential threats that may have gone undetected during regular online scanning. By conducting an offline scan, users can thoroughly examine their system and take necessary actions to mitigate any risks associated with potentially malicious drivers.
Microsoft has implemented an automatic collection process for the identified malicious drivers to enhance security measures further. These drivers now come in a revocation list integrated into the Windows operating system. This revocation list helps block the installation and execution of drivers flagged as malicious, adding an extra layer of protection against known threats.
It is worth noting that among the drivers included in the revocation list, a significant number of them possess certificates from China. That emphasizes the need for continuous monitoring and evaluation of driver sources and the importance of maintaining secure and trusted software supply chains. By staying vigilant and keeping their systems up to date, users can better safeguard their devices against the risks associated with malicious drivers and maintain a secure computing environment.