Jump to content
  • Google finds adware strain abusing novel file signature evasion technique

    aum

    • 770 views
    • 2 minutes
     Share


    • 770 views
    • 2 minutes

    One of Google’s security teams said it found a malware strain abusing a new technique to evade detection from security products by cleverly modifying the digital signature of its payloads.

     

    Discovered by Neel Mehta, a security researcher for the Google Threat Analysis Group (TAG), the technique was seen abused by an adware strain named OpenSUpdater.

     

    In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate. EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13).

     

    Neel Mehta, analyst for the Google Threat Analysis Group


    While the technical explanation is a bit hard to understand for non-technical users, Mehta is referring to a tiny edit the OpenSUpdater gang made in a small field inside the digital signature of their payloads.

     

    On Windows systems, this tiny edit does not impact the operating system’s file signature checks, which when passed, allow the file to run without any security warnings.

     

    However, Mehta says that security products, most of which use the OpenSSL library to parse and extract a file’s signature information, will fail to scan files that had their digital signature modified by this method.

     

    “This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files,” Mehta explained today.

     

    The Google researcher said he reported the issue to Microsoft so the Redmond-based company can start work on modifying its signature checking algorithms.

     

    Files infected with the OpenSUpdater adware are currently distributed via game cracks and pirated software.

     

    Once they infect a system, the adware is used to download and install unwanted software, part of pay-per-install schemes.

     

    Google said most OpenSUpdater victims are located in the US.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...