logo
logo

Stealthy malware infects digitally-signed files without altering hashes

avatar
Gaston Alexander
img

Grinding research finds gold in failed header checks

Black Hat Deep Instinct researcher Tom Nipravsky has undermined the ubiquitous security technique of digitally-signed files by baking malicious code into headers without tripping popular security tools.

Nipravsky inserted malicious code into the small header attribute certification table field which contains information about digital certificates and is not subject to hash calculation.

One of three file size checks is not properly conducted by Microsoft's Authenticode allowing VXers to alter expected values so that infected digitally-signed files appear valid.

Nipravsky reverse-engineered Microsoft's undocumented portable executable loading process to develop the Reflective PE Loader which can stealthily inject the header's malicious code into system memory without raising security flags.

Nipravsky and colleagues at Deep Instinct describe their work in the paper Certificate bypass: Hiding and executing malware from a digitally signed executable PDF released at the Black Hat security conference in Las Vegas last week.

collect
0
avatar
Gaston Alexander
guide
Zupyak is a free content platform for publishing and discovering stories, software and startups.