Grinding research finds gold in failed header checks
Black Hat Deep Instinct researcher Tom Nipravsky has undermined the ubiquitous security technique of digitally-signed files by baking malicious code into headers without tripping popular security tools.
Nipravsky inserted malicious code into the small header attribute certification table field which contains information about digital certificates and is not subject to hash calculation.
One of three file size checks is not properly conducted by Microsoft's Authenticode allowing VXers to alter expected values so that infected digitally-signed files appear valid.
Nipravsky reverse-engineered Microsoft's undocumented portable executable loading process to develop the Reflective PE Loader which can stealthily inject the header's malicious code into system memory without raising security flags.
Nipravsky and colleagues at Deep Instinct describe their work in the paper Certificate bypass: Hiding and executing malware from a digitally signed executable PDF released at the Black Hat security conference in Las Vegas last week.