“Netfilter” malicious driver bypasses Microsoft’s signature system

“Netfilter” malicious driver bypasses Microsoft’s signature system

June 30, 2021 | Jie Ji

In June 2021, German computer security solutions software company G Data Software detected a malicious driver named “Netfilter”. Unexpectedly, the malicious driver bypassed and obtained Microsoft’s file signature. When Microsoft learned about it, it immediately added the signature of the malware to the security center of the Windows system for protection, and conducted an internal investigation into the cause of the incident.
In order to improve security, Microsoft started with Windows Vista, requiring any code running in kernel mode to be tested and signed before public release to ensure the stability of the operating system. By default, drivers that have not obtained a Microsoft digital signature certificate cannot be installed.

The malicious program “Netfilter Rootkit” in this incident has external communication and self-update mechanisms, and its feature is that it can redirect IP. The IP address of the attacked target will be redirected to 45[.]248.10.244:3000.

The method of bypassing Microsoft’s signature in this incident is not yet known. It seems that the attacker followed Microsoft’s standard procedure for submitting software programs and used “legal methods” to obtain Microsoft’s signature.

At present, NTI has supported online detection of this incident (https://nti.nsfocus.com), and products that have been enabled by intelligence can also obtain the corresponding IOC (continuous update) in the offline upgrade package, which can be downloaded on the upgrade site. (http://update.nsfocus.com)


This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.