Malware creators have figured out a clever new way to hoodwink Windows 10

security
(Image credit: Shutterstock)

Google researchers have spotted malware developers employing a novel trick to confuse and break Windows 10 malware scans by using deliberately malformed signatures on valid certificates.

Cybersecurity researcher with Google’s Threat Analysis Group (TAG) Neel Mehta has shared details about the new trick that’s employed by the developers of the OpenSUpdater malware.

Mehta observed samples of the malware signed with legitimate but intentionally malformed certificates, which confused the scanning mechanism since the certificates were accepted by Windows, but rejected by OpenSSL.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

“Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid,” notes Mehta. 

Novel approach

Decoding the technical wizardry behind the ploy, BleepingComputer explains that in essence the technique breaks certificate parsing for OpenSSL, preventing parsers from decoding the digital signatures to check their authenticity. 

This enables the malicious samples to avoid detection by security solutions that use OpenSSL-powered detection rules, giving them unimpeded access to their victim’s computer.

Mehta adds that the technique is perhaps the first instance of threat actors using this technique to evade detection. Moreover, so far the technique is only being used by the authors of the OpenSUpdater malware, to inject ads into victims' browsers and install other unwanted programs onto their devices.

However, since first discovering this activity, OpenSUpdater's authors have tried other variations of invalid encodings to further evade detection.

Google TAG has also reported the innovative evasion tactic to Microsoft, even as they work with the Google Safe Browsing team to block this family of unwanted software.

Via BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.