Google researchers have spotted malware (opens in new tab) developers employing a novel trick to confuse and break Windows 10 (opens in new tab) malware scans by using deliberately malformed signatures on valid certificates.
Cybersecurity (opens in new tab) researcher with Google’s Threat Analysis Group (TAG) Neel Mehta has shared details (opens in new tab) about the new trick that’s employed by the developers of the OpenSUpdater malware.
Mehta observed samples of the malware signed with legitimate but intentionally malformed certificates, which confused the scanning mechanism since the certificates were accepted by Windows, but rejected by OpenSSL.
- These are the best malware removal (opens in new tab) software on the market
- Protect your devices with these best antivirus software (opens in new tab)
- Here are the best ransomware protection tools (opens in new tab)
“Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid,” notes Mehta.
Novel approach
Decoding the technical wizardry behind the ploy, BleepingComputer explains that in essence the technique breaks certificate parsing for OpenSSL, preventing parsers from decoding the digital signatures to check their authenticity.
This enables the malicious samples to avoid detection by security solutions that use OpenSSL-powered detection rules, giving them unimpeded access to their victim’s computer.
Mehta adds that the technique is perhaps the first instance of threat actors using this technique to evade detection. Moreover, so far the technique is only being used by the authors of the OpenSUpdater malware, to inject ads into victims' browsers and install other unwanted programs onto their devices.
However, since first discovering this activity, OpenSUpdater's authors have tried other variations of invalid encodings to further evade detection.
Google TAG has also reported the innovative evasion tactic to Microsoft, even as they work with the Google Safe Browsing team to block this family of unwanted software.
- We've put together a list of the best endpoint protection (opens in new tab) software
Via BleepingComputer (opens in new tab)