Researchers Hide Malware Inside Digitally Signed Executables

Cybercriminals can pack malware into digitally signed executables without breaking the signature, thus avoiding anti-virus detection, researchers say.

In a whitepaper presented at Black Hat USA 2016, Deep Instinct researchers reveal that it is possible to hide a malicious file with the ability to be executed within a file without breaking the normal PE (packed executable) execution (basically, without encrypting the main sections of the file).

Malware authors are constantly seeking means to evade detection and prevention solutions, and they frequently use packers and encryption techniques for that, because security solutions are efficient only if they can unpack the compressed or encrypted malicious content. Packed and encrypted files can be identified both on disk and during execution, but the researchers say that their newly discovered technique prevents that.

Packers, or compressors, were created to reduce the size of files on disk, but also to make reverse engineering of executables more difficult. However, although they were intended for good, packers soon became tools for malware creators, and researchers estimate that up to 80% of malware is obfuscated with packers and compression techniques.

While most actors use known packers, which also have unpackers that security solutions might use before scanning files, there are also developers of malicious applications who use custom packers and obfuscation techniques unknown to security vendors.

To determine the location and size of the attribute certificate table, Windows reads the VirtualAddress and Size members of the IMAGE_DATA_DIRECTORY item. The size is also mentioned at the beginning of the attribute certificate table, the researchers explain in their whitepaper. Moreover, Windows uses Authenticode to determine the origin and integrity of software binaries, and X.509 v3 certificates to bind an Authenticode-signed binary to the identity of a software publisher.

To validate the integrity of the file and make sure it hasn’t been tampered with, Windows also calculates its hash and compares it with the hash mentioned in SignedData structure. However, researchers discovered that, because Windows excludes three fields from hash calculation, namely Checksum, IMAGE_DIRECTORY_ENTRY_SECURITY entry in the DataDirectory, and the attribute certificate table itself, code can be injected without altering the certificate’s validity.

“Because Windows excludes the fields mentioned above from the hash calculations, we can inject data to the certificate table without damaging the validity of the file’s certificate. By appending malicious content to the end of the certificate table and modifying the relevant fields accordingly (Size [Both in DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY] and in WIN_CERTIFICATE] and CheckSum), we can modify the file without harming the validity of the certificate,” researchers say.

According to the researchers, this injection method allows for a malicious file to pass anti-virus verification even if it is not encrypted. The malware isn’t part of the execution process, which prevents anti-malware solutions from detecting it even when the signed file was executed. “This way, we are able to hide malicious content in files across windows file system, without being identified,” researchers say.

The Deep Instinct researchers were also able to create a Reflective PE Loader to run PE files directly from memory, because they didn’t have the ability to execute code from the certificate section. Furthermore, they also documented how other researchers can replicate the PE execution process on their own. However, their working POC still has three limitations, as it doesn’t run on 64-bit systems, doesn’t support DLL Forwarding, and the Host Process is closed when closing  Payload  PE, because it uses ExitProcess.

“Malware developers and hackers are constantly searching for advanced techniques to bypass security solutions by steering away from the classic structure of packers where everything is located in one file. This includes finding ways that are not dependent on each other and connecting them. By adopting an attacker’s mindset, the security industry can creatively identify attack vectors and flaws, offering better protection,” the researchers conclude.

Related: “Poweliks” Malware Uses Windows Registry to Avoid Detection

Related: VirusTotal Policy Change Rocks Anti-Malware Industry

Related: Dell Unveils Solution to Detect Evasive Malware