It also just keeps happening. A recent game(Genshin Impact) shipped with an Anti-Cheat driver that had unauthenticated read/write primitives via IPC for debugging and it's been abused since.
Microsoft would not want to stop since it keeps users locked in to Windows. The majority of games now support Linux according to ProtonDB, but the few popular games that don't are almost always due to a kernel level anti cheat.
Talking out of school here, but games currently seem to require such low level hardware access that this is rendered impossible.
No matter if your game has crappy memory management and the escalation exploit roots your XBOX, an update will quash that. But people are banking and buying/mining crypto and then launching fortnite or whatever.
Game security is nuts. It's always been a training ground for RE/binary exploitation engineers, so thats a plus.
Literally no part of this comment is true. They’re not hidden and they’re not malicious.
They’re also very much required, because a user mode anti-cheat is trivially circumvented by a kernel mode cheat. The only way to defeat cheats is to wage continuous war with them, adapting to their tactics and stamping them out. It’s like collecting trash; trash will keep accumulating, your goal is to keep homes and streets clean in spite of that.
If we think rationally, why would a nation state put in effort to block ONE single search term to hinder information spread while still letting multiple other queries give the same results? There is zero to gain from that.
As with all security mitigations it does something, it’s significantly more difficult to get kernel level malware installed now than in the Win95 days, but it’s not a cast iron guarantee nothing bad will ever happen again.
Signing is a useful measure. But not by itself. There are several harder admissions to be made.
The security business is very lucrative ambulance-chasing. A business-grade OS needs high-confidence evaluation and design.
mWindows cannot be safe while being all things to all users, with backward-compatability extending three decades. It may be time to split the product into more than just artificial marketing tiers.
Rewrite the OS in a safer language. I won't pick one, but Microsoft is large and sufficiently profitable to know what to do and how to do it. mWindows 11 should not just be a change of curtains and doilies.
It's a significant hurdle, especially if getting something signed requires some kind of certification process and company identity verification.
It also ensures that the OS vendor has a copy of the binary (although it will only be the first stage, I assume). Without signing, attackers can push malware onto one machine without anyone else getting a copy.
The driver is signed with the certificate of the developer, an EV certificate at that. The “Microsoft signature” is just an attestation signature and does not indicate the software is from Microsoft.
Every driver that runs on Windows 7+ is required to be signed this way via the Microsoft portal.
Why the article seems to go out of its way to not mention the name of the certificate used to sign the driver first is strange.
They also fail to mention that this cross signature gives Microsoft the power to revoke the validity of the driver or every driver signed with the developers certificate.
Again this may not have fit into the crafted narrative they are providing.
The issue it seems is that MS dropped the requirement that drivers must also be signed by the developer’s own EV certificate - it seems developers can get binaries signed without that, which means only MS knows which company is the one that signed a specific program/driver in this configuration. https://twitter.com/gossithedog/status/1405976566694395906?s...
Where does the driver come from, in the supply chain? I mean, is it the game devs that put it in? Is it the anti-cheat software they buy from a vendor? If so, who develops that and how did the driver get into it? It would be good to know at what stage it was injected.
So what are the legal ramifications? Because that's really the only interesting thing here? (A list of affected products would also be good, but that's not interesting, that'd kind of the bare minimum)
Edit: after getting in touch with Joshua, behind Echo, the original evidence on Twitter by Kevin Beaumont has been retracted [0] and Joshua claims that Echo is not related to the rootkit in question.
Edit 2: Some further clarifications about Echo from Joshua: "We also don't just give untethered access, it's a scan which does specific things and doesn't have any malicious capabilities from the staff member on the player. How it works is cheats leave traces behind, Echo is almost a forensic analysis to see if cheats were on that PC. For example, any executable on windows that resolves a domain has strings in the Dnscache service, or any process that makes requests to cheat servers will leave the domain as strings in lsass.exe (which is can be PPL and can require kernel to read from). We use the driver and strong obfuscation to prevent cheat developers (known to be good reverse engineers) from being able to just clear these traces."
Piecing together info scattered across disclosures [1] and tweets [2], it seems the malware is related to Echo [3], a product marketed for Minecraft server owners that allegedly helps in detecting cheaters. From what I understand, suspected cheaters are requested by the server staff to download and install the Echo client, which shares the player's screen [4] with the admins and apparently gives full, unrestricted OS access.
I've tried to get in touch with the people allegedly behind Echo [5] [6] for clarification, and I'll update this once I get more info.
>From what I understand, suspected cheaters are requested by the server staff to download and install the Echo client, which shares the player's screen [4] with the admins and apparently gives full, unrestricted OS access.
Downloading and running software like that from someone you met on a game server is incredibly stupid. I know multiple people who have gotten rootkits and lost control of important accounts this way.
Wait a second. According to the article, the only weird thing the driver does is sending some CPU info telemetry and automatically checking for updates. By that standard, nearly every piece of gaming software that releases nowadays is malware. "Ningbo Zhuo Zhi Innovation Network Technology" is also not on the current DOD list of Communist Chinese military companies. The whois record for the given ip doesn't even link to this company, it's a protected record under some Chinese telecorp. Who wrote this garbage? This seems like a cheap attempt to generate outrage.
This malware registers system wide proxy and redirects certain traffic on IP level. It also registers it's own CA certificate making TLS MITM possible. Finally it has auto-update functionality which could be used to push different malware to selected users.
> Notably, the C2 IP 110.42.4.180 that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records.
> The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed.
Tried to check the claim, which links to http://www.defense.gov/Newsroom/Releases/Release/Article/247.... There are four short PDFs linked there, and I couldn't find the company in any of the lists. Tried to check historical versions on Internet Archive, still couldn't find anything, but admittedly I only looked briefly. "site:defense.gov Ningbo Zhuo Zhi" turned up nothing on Google.
Now, WHOIS record points to nbgaofang.com, which claims to be a cloud provider specializing in DDoS protection, so a Cloudflare of sort.
Do reporters actually read what they link? Do they intentionally report “juicy” bs with sham links that don’t support the bs, knowing full well that few readers would try to verify sources?
This article is certainly low quality, it rehashes existing media stereotypes (something bad happened, and naughty China is behind it) instead of making things clear. Obvious questions (What game or other software bundled the driver? Was it made by the same company that signed the code? What runs on the servers from the redirected addresses list?) are not even mentioned. If the narrative is that Chinese hackers tricked the impregnable systems of Microsoft, then it falls apart after learning, say, how many times official drivers from Intel and the likes were found to have privilege escalation functionality. Also, we are supposed to be happy when it's official western corporate rootkits that collect all system information they want, and share it with who knows which organizations, or when Microsoft itself does it.
[+] [-] lawl|4 years ago|reply
No game should require a kernel driver.
[+] [-] meibo|4 years ago|reply
It's a security theater.
[+] [-] swebs|4 years ago|reply
https://www.protondb.com
[+] [-] cartoonworld|4 years ago|reply
No matter if your game has crappy memory management and the escalation exploit roots your XBOX, an update will quash that. But people are banking and buying/mining crypto and then launching fortnite or whatever.
Game security is nuts. It's always been a training ground for RE/binary exploitation engineers, so thats a plus.
[+] [-] maccard|4 years ago|reply
Edit: rather than downvoting can someone offer a reason as to why?
[+] [-] wrren|4 years ago|reply
They’re also very much required, because a user mode anti-cheat is trivially circumvented by a kernel mode cheat. The only way to defeat cheats is to wage continuous war with them, adapting to their tactics and stamping them out. It’s like collecting trash; trash will keep accumulating, your goal is to keep homes and streets clean in spite of that.
[+] [-] ilamont|4 years ago|reply
They can always blame "accidental human error."
https://www.bbc.com/news/world-asia-57367100
[+] [-] realmod|4 years ago|reply
[+] [-] swiley|4 years ago|reply
[+] [-] jon-wood|4 years ago|reply
[+] [-] heresie-dabord|4 years ago|reply
The security business is very lucrative ambulance-chasing. A business-grade OS needs high-confidence evaluation and design.
mWindows cannot be safe while being all things to all users, with backward-compatability extending three decades. It may be time to split the product into more than just artificial marketing tiers.
Rewrite the OS in a safer language. I won't pick one, but Microsoft is large and sufficiently profitable to know what to do and how to do it. mWindows 11 should not just be a change of curtains and doilies.
[+] [-] elisaado|4 years ago|reply
[+] [-] tgsovlerkhgsel|4 years ago|reply
It also ensures that the OS vendor has a copy of the binary (although it will only be the first stage, I assume). Without signing, attackers can push malware onto one machine without anyone else getting a copy.
[+] [-] FounderBurr|4 years ago|reply
Every driver that runs on Windows 7+ is required to be signed this way via the Microsoft portal.
Why the article seems to go out of its way to not mention the name of the certificate used to sign the driver first is strange.
They also fail to mention that this cross signature gives Microsoft the power to revoke the validity of the driver or every driver signed with the developers certificate.
Again this may not have fit into the crafted narrative they are providing.
[+] [-] judge2020|4 years ago|reply
[+] [-] nomoreplease|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] ineedasername|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] andrecarini|4 years ago|reply
[+] [-] tyingq|4 years ago|reply
Well, perhaps for less shady purposes, but still very misleading.
[+] [-] TheRealPomax|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] andrecarini|4 years ago|reply
Edit 2: Some further clarifications about Echo from Joshua: "We also don't just give untethered access, it's a scan which does specific things and doesn't have any malicious capabilities from the staff member on the player. How it works is cheats leave traces behind, Echo is almost a forensic analysis to see if cheats were on that PC. For example, any executable on windows that resolves a domain has strings in the Dnscache service, or any process that makes requests to cheat servers will leave the domain as strings in lsass.exe (which is can be PPL and can require kernel to read from). We use the driver and strong obfuscation to prevent cheat developers (known to be good reverse engineers) from being able to just clear these traces."
[0] https://twitter.com/GossiTheDog/status/1408900596145569795
Piecing together info scattered across disclosures [1] and tweets [2], it seems the malware is related to Echo [3], a product marketed for Minecraft server owners that allegedly helps in detecting cheaters. From what I understand, suspected cheaters are requested by the server staff to download and install the Echo client, which shares the player's screen [4] with the admins and apparently gives full, unrestricted OS access.
I've tried to get in touch with the people allegedly behind Echo [5] [6] for clarification, and I'll update this once I get more info.
[1] https://www.gdatasoftware.com/blog/microsoft-signed-a-malici...
[2] https://twitter.com/GossiTheDog/status/1407328596247646217
[3] https://echo.ac
[4] https://www.reddit.com/r/screensharing/
[5] https://find-and-update.company-information.service.gov.uk/c...
[6] https://discord.gg/mGTTAT5
[+] [-] swiley|4 years ago|reply
Downloading and running software like that from someone you met on a game server is incredibly stupid. I know multiple people who have gotten rootkits and lost control of important accounts this way.
[+] [-] McTossOut|4 years ago|reply
[deleted]
[+] [-] sigmoid10|4 years ago|reply
[+] [-] aj3|4 years ago|reply
[+] [-] swiley|4 years ago|reply
Yes.
[+] [-] tgv|4 years ago|reply
[+] [-] oefrha|4 years ago|reply
> The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed.
Tried to check the claim, which links to http://www.defense.gov/Newsroom/Releases/Release/Article/247.... There are four short PDFs linked there, and I couldn't find the company in any of the lists. Tried to check historical versions on Internet Archive, still couldn't find anything, but admittedly I only looked briefly. "site:defense.gov Ningbo Zhuo Zhi" turned up nothing on Google.
Now, WHOIS record points to nbgaofang.com, which claims to be a cloud provider specializing in DDoS protection, so a Cloudflare of sort.
Do reporters actually read what they link? Do they intentionally report “juicy” bs with sham links that don’t support the bs, knowing full well that few readers would try to verify sources?
[+] [-] ogurechny|4 years ago|reply