Google: Beware of invisible malware

One of the teams of Google he said that he discovered a kind of malware that abuses a new technique to avoid detection by security products by cleverly modifying the digital signature of its files.

0day bw

It was discovered by Neel Mehta, a security researcher in the Google Threat Analysis Group (TAG from Threat Group). This technique was used by an adware strain called OpenSUpdater.

In the samples, the digital signature was processed and the End of Content (EOC) flag was changed to a NULL tag in the “parameters” element of the SignatureAlgorithm that signs the X.509 leaf certificate. EOC pointers terminate encodings of indefinite length, but in this case EOC for the encoding of a certain length (l=13).

The technical explanation given by the researcher is a bit difficult to understand by users who do not know, but Mehta refers to a small edit made by the developers of OpenSUpdater in a small field within the digital signature of its payloads.

On Windows systems, this small edit does not show the signature controls of an operating system file, which makes the malware invisible. This allows him to run without safety warnings.

Mehta states that security products, which use the bibliography OpenSSL to parse and extract a file's signature information, will fail to scan files whose digital signature has been modified by this method.

"This is the first time TAG has discovered hackers who use this technique to avoid detection while maintaining a valid digital signature on PE files," Mehta said today.

The Google researcher contacted Microsoft, and reported the security gap to change them of the control of digital signatures.

Files infected with OpenSUpdater adware are currently distributed via games and software.

Once it infects a system, adware is used to download and install unwanted software.

Google reports that most victims of OpenSUpdater are in the United States.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
google, 0day

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).