FiveSys Rootkit Abuses Microsoft-Issued Digital Signature October 21, 2021 https://www.securityweek.com/fivesys-rootkit-abuses-microsoft-issued-digital-signature Bitdefender: Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions (PDF): https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf
Good thing @cruelsister added WV to her defense arsenal, as comodo would miss this (I think?). But I wonder if WV can catch it, without signatures that is
Good point. And herein enters the return of the infamous rootkit(s) again. Because once success sets in, duplicates are certain to follow.
The defence is quite simple, simply don't allow driver loading from untrusted apps. That's what I told you in another topic, with a tool like SpyShelter you can control app behavior, similar to the permission system in Android and iOS, only way more advanced. I have been using HIPS since 2004, I started with Process Guard then System Safety Monitor and Neoava Guard and now SS. The problem with Windows is that once some app has managed to load a malicious driver, there is no easy way to block malicious behavior anymore. And that's what makes rootkits so dangerous. So that's why M$ decided to implement PatchGuard in Windows Vista, this will at least prevent rootkits from messing around with the Windows kernel, but they still got plenty of other capabilities.
