Hackers have been taking advantage of a rootkit, or malicious software that grants unauthorized access to a computer system, that somehow got Microsoft’s digital seal of approval. This alarming discovery raises important questions about how vulnerable we are to malicious software. Let’s take a closer look at this rootkit and how it bypassed Microsoft’s security protocols.
What Is a Rootkit?
Rootkits are malicious software tools that cybercriminals can use to gain control of computer systems. These tools allow attackers to hide malware and malicious activities or even access a system without being detected.
Rootkits were the apex predators of cybercrime more than a decade ago. These covert computer programs were designed to provide attackers with an unbroken foothold on victims’ computers while concealing malicious activity from the operating system and antimalware solutions.
The security mitigations introduced with Windows Vista have evicted these intruders living inside the operating system’s kernel, but they occasionally reappear.
Rootkits may contain backdoors, keyloggers, data-stealing malware, malicious scripts, and other sophisticated methods that make it difficult for the system’s owner or administrator to detect. By exploiting vulnerabilities, they can take control of a system without requiring user credentials and access confidential information stored on them.
As such, they are a dangerous threat to cybersecurity that must not be taken lightly. In fact, as rootkit threats become more advanced and sophisticated, it is increasingly essential for organizations and individuals to stay informed on the latest defense mechanisms available and to update their systems regularly to protect against such attacks.
What is the Fivesys Rootkit?
According to a recent report by cybersecurity firm Bitdefender, e-criminals have been using a rootkit dubbed “FiveSys” that eerily received an e-signature from Microsoft.
The malicious program allegedly granted attackers “virtually unlimited privileges” on infected systems, and hackers used it to target online gamers for credential theft and in-game purchase hijacking. According to researchers, “FiveSys” could also be redirected to other types of data theft.
Because of the inclusion of a legitimate-looking Microsoft Windows Hardware Quality Labs Testing (WHQL) driver certificate, the rootkit FiveSys was able to gain access to targeted systems.
WQOS generates a one-of-a-kind digital signature that allows certified drivers to be installed on a Windows computer via the official Windows Update program, giving end users confidence. Once loaded, the rootkit grants its creators nearly unlimited privileges.
Bitdefender, a security firm, discovered the increase in malicious drivers with valid e-signatures. According to the company, the rootkit in question allows attackers to circumvent security and gain access to and control of a targeted system by rerouting HTTP and HTTPS traffic to domains on attacker-controlled proxy servers.
The compromised WHQL certificate is similar to that used in the Netfilter rootkit, which was discovered earlier this year. Fivesys is the second rootkit to use a Microsoft certificate, and Bitdefender predicts that more attacks will use legitimate driver certificates.
According to Bitdefender, FiveSys originated in China and has been seen primarily targeting Chinese online game players. According to the security firm, the ultimate goal is to gain control of credentials in the games to make in-game purchases. Fivesys has yet to be spotted in the wild outside of China.
The randomness with which this rootkit reroutes compromised traffic makes removing it difficult. To complicate potential takedown attempts, the rootkit includes a list of 300 domains on the ‘.xyz’ TLD that appear to be generated randomly and stored in an encrypted form inside the binary.
To protect itself, the rootkit employs a variety of strategies, including preventing the ability to edit the registry and preventing the installation of other rootkits and malware from various groups.
Because of the random pattern, identifying and shutting down the domains is difficult. Bitdefender, for its part, immediately contacted Microsoft regarding using the WHQL driver certificate. Microsoft quickly revoked the e-signature.
How Did It Get Microsoft’s Digital Signature?
Cybercriminals are known to use stolen digital certificates, but in this case, they were able to obtain a valid one. It’s still unclear how cybercriminals were able to get a valid certificate.
Digital signatures are algorithms that businesses and other large organizations use for security. E-signatures generate a “virtual fingerprint” linked to specific entities and are used to verify their trustworthiness. As a security measure, Microsoft employs a digital signing process to reject programs that do not appear to have come from trusted sources.
However, the company’s security protocols appear to have been no match for the “FiveSys” rootkit and its cybercriminal handlers, who were able to get their malicious program signed with Microsoft’s digital approval stamp. It’s unclear how they accomplished this.
It could have been submitted for validation and somehow passed the checks. While digital signing requirements detect and stop the majority of rootkits, they are not foolproof. It’s unclear how FiveSys is spread, but researchers believe it’s bundled with cracked software downloads.
Once installed, the FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser does not warn about the proxy’s unknown identity; it also prevents other malware from writing on the drivers, most likely in an attempt to prevent other cyber criminals from exploiting the compromised system.
According to attack analysis, the FiveSys rootkit is being used in cyberattacks against online gamers to steal login credentials and hijack in-game purchases.
Because of the popularity of online games, a lot of money can be involved – not only because banking information is linked to accounts but also because prestigious virtual items can fetch large sums of money when sold, implying that attackers could exploit access to steal and sell these items.
Currently, the attacks are aimed at gamers in China, where researchers believe the attackers are also based.
How to Get Rid of Rootkits like Fivesys?
Removing rootkits like Fivesys can be a daunting and complex task. Most antivirus solutions do not detect these malicious programs, so it is essential to take proactive measures against them. The first step is to complete a deep scan of your computer that detects and eliminates rootkits. Next, follow these steps:
1. Use rootkit removal software.
Don’t rely on Windows Defender or other built-in security software because most rootkits can circumvent essential safeguards. Use specialized software such as Avast One for complete protection. Avast combines the world’s largest threat-detection network with machine-learning malware protection into a single, lightweight tool capable of detecting and removing rootkits and defending against all types of future online threats.
2. Run a boot-time scan.
Modern malware employs sophisticated techniques to avoid detection by antivirus software. Rootkits on a device that is running an operating system can outwit automated antivirus scans.
If an antivirus program requests that the operating system open a specific malware file, the rootkit can alter the data flow and open a harmless file instead. They can also alter a malware file’s enumeration code, which stores and shares information about malware and prevents it from being included in a scan.
Rootkits are detected during the startup process of your computer by boot-time scans. The advantage of a boot-time scan is that the rootkit is usually still dormant and unable to hide in your system.3.
3. Wipe the device and reinstall the operating system.
If antivirus software and a boot-time scan fail to remove the rootkit, try backing up your data, wiping your device, and installing from scratch. This is sometimes the only option when a rootkit is operating at the boot, firmware, or hypervisor levels.
First, you must understand how to format a hard drive and clone a hard drive to back up your essential files. Although you may need to wipe the main C: drive, you can still keep most of your data. This is the final option for removing a rootkit.
Frequent updating of anti malware software will also help keep your system safe from new attempts at intrusion. With these techniques in place, dealing with existing and emerging rootkits like Fivesys should become much more straightforward.
What Can We Do To Protect Against Rootkits?
Rootkits are a serious security threat that can be difficult to detect and remove, but there are preventative steps that can be taken to reduce the chances. For example, keeping your operating system and software up-to-date ensures you don’t become vulnerable to known attack vectors for rootkit installation. Good patch management is key here, and antivirus software is a must, too – stay up-to-date with virus definitions so attackers have fewer options.
Be cautious when downloading anything, too – always ensure it’s from reliable sources and has good reviews. Disable unsigned drivers or executables, as these can be vulnerable entry points for rootkits. Lastly, a robust firewall or web filtering proxy will help block attackers trying to exploit vulnerabilities in unpatched systems. All these preventive measures give you the best chance of mitigating rootkit infections.
While the rootkit is currently being used to steal login credentials from gaming accounts, it may be used against other targets in the future. However, by taking a few simple cybersecurity precautions, you can avoid falling victim to this or similar attacks.
To be safe, download software from the vendor’s website or trusted sources only. Furthermore, modern security solutions can detect malware, including rootkits, and prevent its execution.
It is essential to take steps to protect yourself against malicious software like FiveSys. Make sure you keep your systems up-to-date with the latest patches—this will help protect you against known threats like this.
Additionally, use reliable antivirus software to scan for suspicious activity or malicious software on your computer systems. Finally, be aware of phishing attempts; do not click on links or open attachments from unknown sources since they could contain malware such as Kovter.
Microsoft’s ‘Patch Tuesday’ updates are constantly discovering and patching new zero-day vulnerabilities. Apple also rushed to patch macOS earlier this year after researchers found a way to circumvent its GateKeeper, file quarantine, and notarization security mechanisms using malware disguised as a regular document file.
Apple also released new versions of all four operating systems a day before its major September product launch to address security issues such as a vulnerability caused by NSO Group’s Pegasus spyware, which could install malware on targets’ iPhones without their knowledge.
The discovery of FiveSys has brought attention to how vulnerable we are when it comes to malicious software getting past our security protocols undetected by using digital certificates that appear legitimate but counterfeit. Taking proactive steps will help protect us against such attacks; keeping our systems updated with the latest patches, using reliable antivirus software, and being aware of phishing attempts can go a long way in protecting ourselves from malicious programs such as rootkits like FiveSys.