A recent report by cybersecurity firm Bitdefender shows that e-criminals have been using a particular rootkit, dubbed “FiveSys,” that bafflingly received a digital signature from Microsoft.
The malicious program apparently allowed attackers “virtually unlimited privileges” on affected systems and was used by hackers to target online gamers for credential theft and in-game purchase hijacking. Researchers say it’s definitely possible that “FiveSys” could be redirected towards other kinds of data theft, too.
Rootkits are malicious programs designed to allow criminals prolonged access to a particular server or device. With a rootkit, an attacker can remain embedded in a particular computer, unbeknownst to the device’s operating system or its anti-malware defences, for long periods of time. They also typically give attackers high levels of control over a particular system or device.
Digital signatures, meanwhile, are basically algorithms that companies and other large organisations use for security purposes. Signatures create a “virtual fingerprint” connected to specific entities that are meant to verify their trustworthiness. Microsoft utilises a digital signing process as a security measure meant to rebuff programs that do not appear to have come from trusted sources.
However, the company’s security protocols appear to have been no match for the “FiveSys” rootkit and its cybercriminal handlers — which managed to get their malicious program signed with Microsoft’s digital rubber stamp of approval. It’s not totally clear how they did that.
“Chances is that it was submitted for validation and somehow it got through the checks,” Bogdan Botezatu, director of threat research and reporting, told ZDNet. “While the digital signing requirements detect and stop most of the rootkits, they are not foolproof.”
After being contacted by Bitdefender, Microsoft subsequently revoked the rootkit’s signature, meaning the program will no longer have access to systems. When reached for comment, a Microsoft spokesperson provided Gizmodo with the following statement: “We have built-in detections in place and we continue to investigate and take the necessary steps to help protect customers.”