Privacy News Researcher hides stealthy malware inside legitimate digitally signed files

[shmu26]

A new technique allows attackers to hide malicious code inside digitally signed files without breaking their signatures, and then to load that code directly into the memory of another process.
read more:
Researcher hides stealthy malware inside legitimate digitally signed files

 

[hjlbx]

Nightmare scenario... exploit not too worrisome, but indiscriminate download\execution still remains a problem because users lack the knowledge to just avoid unknown\untrusted files.

 

[shmu26]

anything that will protect from this kind of exploit?

 

[Vasudev]

I think it was their P.hD thesis/project to score more marks and even top the college.

 

[shmu26]

exploit not too worrisome.

why is the exploit not worrisome?

 

[hjlbx]

why is the exploit not worrisome?

Exploits with updated softs is highly unlikely...

 

[hjlbx]

anything that will protect from this kind of exploit?

It is not just exploit. It can be stealthed in a file downloaded to system.

Best protection is not to execute unknown\untrusted files in the first place, but if you must then you can use light virtualization (Sandboxie\COMODO\Shadow Defender\VM, etc), use snapshot product (Rx products) and\or run processes with limited rights (Sandboxie\AppGuard\ReHIPS).

This is not difficult...

 

[hjlbx]

Signature detection is just a basic layer of protection. It is highly unreasonable to expect AV signature detection, HIPS, IDS, etc to catch everything.

Some type of virtualization or snapshot rollback ability is best option to deal with unknown\untrusted files.

Light virtualization is OK, but under rare circumstances it can be bypassed. Low enough incidence that it is nothing to fret about.

Snapshot is OK, but you have to uninstall for MBR modifiying updates and it too can be bypassed under rare circumstances - such as malicious firmware. Low enough incidence that it is nothing to fret about.

And I'm just talking about physical system protection here - without any consideration for network protection - which is an unwieldy beast to deal with all by itself.

Either way there is no bullet-proof solution or 100 % user friendly option. To believe otherwise or to think a completely bullet-proof config is possible is incorrect.

You can get to 98 - 99 %, but that last 5 to 10 % will require 90 % of your security config time and effort.

Pick what is reliable, easy for you to use, and that you like using - and it will all be OK.

If you do get infected (and I"m not talking about simple browser hijack that can be cleaned by using CCleaner), just clean install your OS and start from scratch... pretty simple concept.

The safe and secure bets remain the same - because they just work:

• AppGuard
• Sandboxie
• Shadow Defender
• ReHIPS
• Rollback Rx Home & Pro
  
• Drive Vaccine Rx
• Reboot Restore Rx
• Macrium Reflect

 

[shmu26]

It is not just exploit. It can be stealthed in a file downloaded to system.

Best protection is not to execute unknown\untrusted files in the first place, but if you must then you can use light virtualization (Sandboxie\COMODO\Shadow Defender\VM, etc), use snapshot product (Rx products) and\or run processes with limited rights (Sandboxie\AppGuard\ReHIPS).

This is not difficult...

do you think voodoo Ai would allow a file like this, seeing as it is digitally signed and bears a file name that probably has a good rep in Virus Total?

 

[hjlbx]

do you think voodoo Ai would allow a file like this, seeing as it is digitally signed and bears a file name that probably has a good rep in Virus Total?

AI more than likely doesn't check the PE header - so I suspect the answer is No -- but you should ask the developer:

1. What AI will do in this case ?
2. What he thinks VS will do if the PE is whitelisted by VS ? - any malicious code will be run as the child of a whitelisted process; needs to verified by testing an actual sample against VS.
3. What VS does in the case of RMI ? = reflective memory injection.

 

[Deleted member 178]

Whitelist ? what is this thing?

 

[hjlbx]

Once you allow something to execute on your system -- all bets are off.

Since you - as the user - are the primary blocking agent against file execution - there should be very little likelihood of an infection with some basic knowledge and habits.

 

[DardiM]

Hiding stealthy malware inside legitimate digitally signed file change a lot of info : the file is not the same as original

=> CRC, SHA256, HASH, (size) , etc
=> I mainly trust this info (when given by author, and compared to prog)

It's important to download software directly from main site

And not letting default settings on most of security tools / AVs
(My kaspersky is set to not trust digitally signed files)

Signature detection is just a basic layer of protection. It is highly unreasonable to expect AV signature detection, HIPS, IDS, etc to catch everything.
The safe and secure bets remain the same - because they just work:
AppGuard

• Sandboxie
• Shadow Defender
• ReHIPS
• Rollback Rx Home & Pro
  
• Drive Vaccine Rx
• Reboot Restore Rx
• Macrium Reflect

+100000

 

[shmu26]

AI more than likely doesn't check the PE header - so I suspect the answer is No -- but you should ask the developer:

1. What AI will do in this case ?
2. What he thinks VS will do if the PE is whitelisted by VS ? - any malicious code will be run as the child of a whitelisted process; needs to verified by testing an actual sample against VS.
3. What VS does in the case of RMI ? = reflective memory injection.

the Dev speaks:

Hey Shmu,

How are you? Yeah, I am aware of this, and I am on it .

One of the main things that VoodooAi does is extract and analyze data from the PE Header (among many other things), which is why machine learning and Ai is so incredibly useful in pre-execution malware analysis… it severely limits what techniques malware authors can perform.

I would suspect that VoodooAi would easily identify a file who’s header is tampered with as unsafe (this is one of the main indicators that VoodooAi looks for), but we will not know until we have some samples that we can test. Once we have some samples to work with, we will know more, but I think we are good to go for now. If anyone can find some samples, please test with VS / VoodooAi and let everyone know the results, or please send us the files! Thank you for checking!

Thank you,

Dan

 

[_CyberGhosT_]

the Dev speaks:

Hey Shmu,

How are you? Yeah, I am aware of this, and I am on it .

One of the main things that VoodooAi does is extract and analyze data from the PE Header (among many other things), which is why machine learning and Ai is so incredibly useful in pre-execution malware analysis… it severely limits what techniques malware authors can perform.

I would suspect that VoodooAi would easily identify a file who’s header is tampered with as unsafe (this is one of the main indicators that VoodooAi looks for), but we will not know until we have some samples that we can test. Once we have some samples to work with, we will know more, but I think we are good to go for now. If anyone can find some samples, please test with VS / VoodooAi and let everyone know the results, or please send us the files! Thank you for checking!

Thank you,

Dan

And people wonder why I say VS is not leaving my machine.
They all come and go but myself and VS are my main lines of prevention and we are both pretty smart
Now hurry up and release ReHIPS so I can give VS a playmate

 

[jamescv7]

Actually the malware itself plays mind game.

Antivirus should analyze if it is for convenience or for protection purposes. They should aware on the concept of whitelisting without modifying the components.

Digital signed files must be the focus nowadays cause everything will be useless when bypass occur.

-------------------------------------------

Only those anti-exe and virtualization holds the main essence of protection because of no boundaries compare to AV.