Researchers Show How to Conceal Malware within Authenticated Files, Keeping Hashes Intact

Running an executable on Windows-PC triggers three actions. One, the operating software records the .exe file-name's PE headers. Two, it authenticates the certificate. Three, it authenticates file hash. A team of security researchers called Deep Instinct reverse engineered the sequence of the actions and found that during the process of authenticating file hash, Windows doesn't take into consideration PE headers' 3 fields and that making changes to the said fields doesn't annul the certificate's authenticity.

Deep Instinct experts while presenting a whitepaper during the 2016 Black Hat conference in USA showed that one could conceal malware and run it inside a file devoid of annulling the usual execution of PE. Developers of malicious codes keep finding ways for bypassing detection as well as prevention while often utilize encryption tactics and packers to do so. That's because security software work effectively solely when they manage unzipping a zipped malware-laden archive and similarly decrypting an encrypted malware-coded file. It's possible to identify compressed and encrypted content both during execution and on hard disk, however the researchers show this can be prevented with their freshly found method. Oodaloop.com posted this, August 9, 2016.

The researchers' proof-of-concept didn't show their finding simply because the team had infected the table of attribute certificate, effectively freeing digital e-certificate along with file hash from being embezzled and thus keeping both digital certificate and file hash as they are. The said technique has proven so effective that distributors of malware don't even require concealing their code through packers. That's because security software like anti-viruses by default overlook any file that contains a digital signature.

The researchers elaborated at the conference that if malware infects the disk and escapes identification it's favorable for the attackers but if it doesn't do its task its importance is mitigated. Hence, claim the researchers they created the PE Loader that would run PE files straight out of memory.

Moreover, the researchers indicated that the PE Loader doesn't work with 64-bit architecture.

Deep Instinct's research shows how perfectly malware can be easily hidden straight inside a digital certificate which's meant for validating a file's source while protecting users against badware.

» SPAMfighter News - 8/16/2016