One of Google's security teams he said that he discovered a kind of malware that abuses a new technique to avoid detection by security products by cleverly modifying the digital signature of its files.
It was discovered by Neel Mehta, a security researcher at the team analysisGoogle Threats (TAG from the Threat Analysis Group). This technique was used by an adware strain called OpenSUpdater.
In the samples, the digital signature was processed and the End of Content (EOC) index was changed to a NULL tag in the "parameter" element of the SignatureAlgorithm that signs the X.509 certificate. EOC indicators terminate indefinite length encodings, but in this case EOC is used to encode a certain length (l = 13).
The technical explanation given by the researcher is a bit difficult for uninitiated users to understand, but Mehta refers to a small processing that the developers of OpenSUpdater did in a small field inside the digital signature of its payloads.
On Windows systems, this small edit is invisible to them controls of the signature of some operating system file, which does the malware invisible. This allows it to run without security warnings.
Mehta reports that security products that use the OpenSSL library to parse and extract a file's signature information will fail to scan archives whose digital signature has been modified by this method.
"This is the first time TAG has discovered hackers who use this technique to avoid detection while maintaining a valid digital signature on PE files," Mehta said today.
The Google researcher contacted Microsoft, and mentioned the security gap to change the digital signature control algorithms.
Files infected with adware OpenSUpdater are currently being distributed through cracked games and software.
Once it infects a system, adware is used to download and install unwanted software.
Google reports that most victims of OpenSUpdater are in the United States.
