Google researchers have spotted malware developers employing a novel trick to confuse and break Windows 10 malware scans by using deliberately malformed signatures on valid certificates.
Cybersecurity researcher with Google’s Threat Analysis Group (TAG) Neel Mehta has shared details about the new trick that’s employed by the developers of the OpenSUpdater malware.
Mehta observed samples of the malware signed with legitimate but intentionally malformed certificates, which confused the scanning mechanism since the certificates were accepted by Windows, but rejected by OpenSSL.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- These are the best malware removal software on the market
- Protect your devices with these best antivirus software
- Here are the best ransomware protection tools
“Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid,” notes Mehta.
Novel approach
Decoding the technical wizardry behind the ploy, BleepingComputer explains that in essence the technique breaks certificate parsing for OpenSSL, preventing parsers from decoding the digital signatures to check their authenticity.
This enables the malicious samples to avoid detection by security solutions that use OpenSSL-powered detection rules, giving them unimpeded access to their victim’s computer.
Mehta adds that the technique is perhaps the first instance of threat actors using this technique to evade detection. Moreover, so far the technique is only being used by the authors of the OpenSUpdater malware, to inject ads into victims' browsers and install other unwanted programs onto their devices.
However, since first discovering this activity, OpenSUpdater's authors have tried other variations of invalid encodings to further evade detection.
Google TAG has also reported the innovative evasion tactic to Microsoft, even as they work with the Google Safe Browsing team to block this family of unwanted software.
- We've put together a list of the best endpoint protection software
Via BleepingComputer
