Microsoft accidentally approved malware that could spy on Windows users

Hackers hid the malware inside a common program for filtering network traffic.

HONG KONG, CHINA - 2021/02/16: A man walks past a screen displaying the American multinational techn...
SOPA Images/LightRocket/Getty Images

Last week, Microsoft published a blog post saying it discovered a piece of malware that managed to slip past the company’s safeguards to get installed on Windows 10 computers in China. The malware, when installed, could collect all internet traffic going through a computer and send it to a third party.

Microsoft says the hackers targeted gamers and are not believed to be state-affiliated. A new update for Windows Defender has been released that neutralizes the malware that was allowed to run rampant for three months.

"The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments," Microsoft wrote. "The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."

Supply chain hack — By default, Windows computers only run drivers that have been reviewed and approved by Microsoft directly. But the hackers were able to avoid detection by hiding their malware inside another innocuous driver called Netfilter, an open-source program designed for filtering traffic on an internet network. Because Netfilter has the ability to operate at the lowest levels of a computer, the hackers could intercept any internet traffic going through an infected computer and even manipulate web requests.

In order for the malware to actually get installed on a person’s computer, they would first need to be targeted in some other way because drivers cannot be installed without administrative access.

Microsoft’s blog post suggests the hackers just wanted to use a victim’s computer for cheating in games — by spoofing their location, a player can access otherwise restricted game servers where they may have an advantage. But the hackers could have also compromised computers to potentially collect sensitive personal information like credit card numbers.

Hits keep coming — The news comes shortly after Microsoft saw its internal systems compromised in the SolarWinds attack. In that hack, the company saw some source code stolen as well as sensitive information about Microsoft customers that could be used for phishing.

The SolarWinds fiasco was similarly caused by malicious code being slipped into an update for otherwise innocent network management software.

These attacks that happen at the supply-chain level — the exchange point where software is packaged and delivered to a user — are becoming more frequent as they can give hackers access to a person’s most intimate information without them ever knowing. Apple has faced similar problems on macOS.