IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Malware developers create malformed code signatures to avoid detection

Google researchers uncovers technique used to push dodgy software onto unsuspecting victims

Security researchers have discovered hackers developing malformed code signatures seen as valid in Windows to avoid security software detection.

Researchers at Google’s Threat Analysis Group found the hackers used the techniques to install OpenSUpdater. They then use the software to download and install other suspicious programs.

“The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software,” said Neel Mehta, a security researcher at Google.

About a month ago, Mehta found that OpenSUpdater developers started signing samples with legitimate but intentionally malformed certificates. The samples were uploaded to VirusTotal as far back as mid-August, and Windows accepted them. OpenSSL, however, rejected them. 

In these new samples, hackers edited the signature so an end-of-content (EOC) marker replaced a NULL tag for the “parameters” element of the SignatureAlgorithm signing the leaf X.509 certificate.

EOC markers terminate indefinite-length encodings, but in this case, an EOC is used within a definite-length encoding.

“Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid,” said Mehta.

Related Resource

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Overlaid images of buildings, a sign saying 'security breach', and yellow text saying 'we have detected a harmful attack attempt'Free download

Mehta said this was the first time his researchers observed hackers using this technique to evade detection while preserving a valid digital signature on PE files. 

"Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection," Mehta added.

Upon discovering the issue, Mehta reported to Microsoft to investigate. Mehta’s team is currently working the Google Safe Browsing to protect users from downloading and executing this unwanted software. He stressed users should only download and install software from reputable and trustworthy sources.

OpenSSL, a widely used encryption software library, itself has been the subject of flaws. As reported in April, a severe flaw that could have allowed hackers to crash many servers was patched. The update,  OpenSSL 1.1.1k, fixed two severe bugs, including CVE-2021-3449, which could have been exploited by hackers to deliberately crash vulnerable web servers or email servers at will, causing a looped denial of service (DoS) situation.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022