Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (39)
  • add to favourites
    Add to Bookmarks

Signature sleight

Read: 2575 Comments: 1 Rating: 44

Friday, August 26, 2016

Security researchers never stop looking for ways to bypass anti-virus protection. And rightly so: an anti-virus must strive for perfection even though complete invulnerability is impossible to achieve. Software vulnerabilities are defenceless against malicious programs.

Tom Nipravsky, a researcher with the Israeli company Deep Instinct, has come up with a new method that allows malicious code to be embedded in files that have legitimate digital signatures, without invalidating their digital certificates, and the files to then be loaded into a memory segment being used by another process. The security researcher presented his findings at a Black Hat conference.

The method pioneered by Nipravsky can be adopted by attackers or criminals specialising in cyber espionage because it will enable them to infect a system without being detected by an anti-virus.

The crux of the problem is that a certificate must be stored somewhere. Windows uses the Authenticode routine to validate binary files. Certificate data is stored in the attribute certificate table of a file's header. This header field is excluded from hash calculations because data is written into it after the calculation is completed. And this is exactly the place where criminals can append malicious code.

The Anti-virus Times recommends

No section of a file escapes the attention of Dr.Web solutions. Dr.Web believes that having complete trust in a file’s signature is reckless. This is particularly because criminals are known to sign malicious files themselves.

For example, BackDoor.Dande, which is designed to steal information from applications that are used by pharmacies and pharmaceutical companies, managed to infect the computers of as many as 400 pharmacies in southern Russia.

Programs of this family target Windows machines. BackDoor.Dande.2 uses two drivers, both of which have a digital signature that is registered to SPВ Group OOO.

The drives that Trojan.Stuxnet installs into a system have digital signatures that were stolen from legitimate software developers. In July, information appeared revealing that signatures belonging to such companies as Realtek Semiconductor Corp. and JMicron Technology Corp. were being used.

The research conducted by the Israeli security expert once again proves that protection based solely on validating file integrity using checksums and certificates cannot be considered failure-proof.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.