Microsoft has revoked 13 previously expired developer certificates that were used to sign malicious drivers. It’s part of a new wave of malware attacks that exploit a relatively new way to bypass the Windows security system, he writes Ars Technica.
Security researchers at Cisco Talos made the discovery, and are writing about the findings after giving Microsoft time to fix the problem by revoking the exploited certificates. However, Microsoft can’t do anything about a basic lack of security without making several old programs still in use unusable at the same time.
The hackers behind the new malware exploit a feature in a Windows security feature that usually requires drivers to be signed with a developer certificate and Microsoft certificate signed. For drivers that were signed with a valid developer certificate before July 29, 2015, the latter rule does not apply, as it would cause all drivers released before that date to stop working.
Two tools developed for hacking games and bypassing DRM protection, “Hooksigntool” and “Fuckcertverifytimevalidity”, can sign drivers with fake dates, which in turn enables installation without Microsoft signing. New malware developers use it to give them additional powers in the system.
Malware uses other methods to first infect the computer and obtain administrator privileges, and then install drivers with false signature dates to obtain kernel privileges. Until Microsoft finds, if possible, a permanent solution, the best defense against this type of attack is a good antivirus program that stops the original infection.
“Entrepreneur. Freelance introvert. Creator. Passionate reader. Certified beer ninja. Food nerd.”
More Stories
One of the best series of the 2000s is coming back soon – Season 2 is complete
For sale: Some cycling shirts and jackets
For sale: Original AXS paddle, matchmaker and battery cover