A new malware hiding method, which would really come in handy to cybercriminals, was recently discovered.
Deep Instinct security team found out that malware code could be effectively hidden inside digitally-signed binaries without the process affecting the overall file hash in any way. Hidden this way, the malicious file is very unlikely, if not impossible, to be detected by anti-virus programs and security software.
When the binary is launched into execution, Windows first reads the file`s PE headers, then validates the certificate and, lastly, it validates the file hash. Deep Instinct`s researchers used the reverse engineering method on this entire process and found out that three fields from the PE headers are not included in the process of hash validation. And yet, altering these fields doesn’t affect the validity of the certificate.
The three left-out fields are the file’s Checksum, the IMAGE_DIRECTORY_ENTRY_SECURITY field from the DataDirectory section, and the file’s attribute certificate table. So, to prove their concept that modifying these fields wouldn’t brake the certificate’s validity the experts injected a malicious code inside the attribute certificate table leaving both the file hash and the digital certificate undamaged.
This new-found malware hiding method makes it a piece of cake for cyber crooks. They wouldn’t even have to use code obfuscator for disguise anymore, as all digitally-signed files are automatically ignored by antivirus and security software. Moreover, by not breaking the file hash, this tactic is also safe when it comes to any secondary checks security software which may occur.
The Deep Instinct team was not only able to discover this method but they also managed to find a way to launch the malicious code from the file’s attribute certificate table.
“Having a malicious file in the disk without having it identified is nice, but having nothing to do with it makes it less interesting.” – the research team explained in their recent Black Hat presentation – “That is the reason why we wrote a Reflective PE Loader: to execute PE files directly from memory.”
Even though their success, the research team said that, at this point, their Reflective PE Loader is not 64-bit architecture supportive.
This discovery comes as a huge present to all cybercriminal allowing them to hide malicious codes right in the digital certificate which is supposed to protect users from malware and verify the origin of the file.