Stealthy malware infects digitally-signed files without altering hashes
Grinding research finds gold in failed header checks
Black Hat Deep Instinct researcher Tom Nipravsky has undermined the ubiquitous security technique of digitally-signed files by baking malicious code into headers without tripping popular security tools.
Nipravsky inserted malicious code into the small header attribute certification table field which contains information about digital certificates and is not subject to hash calculation.
One of three file size checks is not properly conducted by Microsoft's Authenticode allowing VXers to alter expected values so that infected digitally-signed files appear valid.
Nipravsky reverse-engineered Microsoft's undocumented portable executable loading process to develop the Reflective PE Loader which can stealthily inject the header's malicious code into system memory without raising security flags.
Nipravsky and colleagues at Deep Instinct describe their work in the paper Certificate bypass: Hiding and executing malware from a digitally signed executable [PDF] released at the Black Hat security conference in Las Vegas last week.
"[The attack] bypasses security vendors, both on the disk and during loading, by storing the malicious code inside signed files without invalidating the digital signature," the team says.
"It also evades detection during execution time, by using reflective EXE loading of the malicious code.
"Thus, our technique allows the execution of persistent malicious code to remain hidden from current software solutions."
The code stays hidden despite malicious header information remaining unencrypted.
The research is an arrow directed at the "Achilles’ heel" of "most" security solutions, the researchers say, and could be a godsend for malware writers who rely on known executable-packers that are minced by most security platforms.
It is for reasons of real-world damage control that the proof-of-concept was not released.
"By adopting an attacker’s mindset, the security industry can creatively identify attack vectors and flaws, offering better protection," the researchers say. ®