Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researcher hides stealthy malware inside legitimate digitally signed files

Lucian Constantin | Aug. 8, 2016
The technique, which doesn't break the original file's signature, can allow malware to bypass antivirus detection

For example, attackers could add their malicious code to one of the many Microsoft-signed Windows system files or to a Microsoft Office file. Their signatures would still be valid and the files functional.

Moreover, most security applications whitelist these files because they're signed by trusted publisher Microsoft to avoid false positive detections that could delete critical files and crash the system.

The second part of Nipravsky's research was to develop a stealthy way to load the malicious executable files hidden inside signed files without being detected. He reverse engineered the whole behind-the-curtain process that Windows performs when loading PE files to memory. This procedure is not publicly documented because developers don't typically need to do this themselves; they rely on the OS for file execution.

It took four months of eight-hours-per-day work, but Nipravsky's reverse engineering efforts allowed him to create a so-called reflective PE loader: an application that can load portable executables directly into the system memory without leaving any traces on disk. Because the loader uses the exact process that Windows does, it's difficult for security solutions to detect its behavior as suspicious.

Nipravsky's loader can be used as part of a stealthy attack chain, where a drive-by download exploit executes a malware dropper in memory. The process then downloads a digitally signed file with malicious code in its ACT from a server and then loads that code directly into memory.

The researcher has no intention of releasing his loader publicly because of its potential for abuse. However, skilled hackers could create their own loader if they're willing to put in the same effort.

The researcher tested his reflective PE loader against antivirus products and managed to execute malware those products would have otherwise detected.

In a demo, he took a ransomware program that one antivirus product normally detected and blocked, added it to the ACT of a digitally signed file, and executed it with the reflective PE loader.

The antivirus product only detected the ransom text file created by the ransomware program after it had already encrypted all of the user's files. In other words, too late.

Even if attackers don't have Nipravsky's reflective PE loader, they can still use the steganography technique to hide malware configuration data inside legitimate files or even to exfiltrate data stolen from organizations. Data hidden inside a digitally signed file would likely pass network-level traffic inspection systems without problems.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.