Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (37)
  • add to favourites
    Add to Bookmarks

Signature sleight

Read: 1714 Comments: 1 Rating: 44

Security researchers never stop looking for ways to bypass anti-virus protection. And rightly so: an anti-virus must strive for perfection even though complete invulnerability is impossible to achieve. Software vulnerabilities are defenceless against malicious programs.

Tom Nipravsky, a researcher with the Israeli company Deep Instinct, has come up with a new method that allows malicious code to be embedded in files that have legitimate digital signatures, without invalidating their digital certificates, and the files to then be loaded into a memory segment being used by another process. The security researcher presented his findings at a Black Hat conference.

The method pioneered by Nipravsky can be adopted by attackers or criminals specialising in cyber espionage because it will enable them to infect a system without being detected by an anti-virus.

The crux of the problem is that a certificate must be stored somewhere. Windows uses the Authenticode routine to validate binary files. Certificate data is stored in the attribute certificate table of a file's header. This header field is excluded from hash calculations because data is written into it after the calculation is completed. And this is exactly the place where criminals can append malicious code.

Dr.Web recommends

No section of a file escapes the attention of Dr.Web solutions. Dr.Web believes that having complete trust in a file’s signature is reckless. This is particularly because criminals are known to sign malicious files themselves.

For example, BackDoor.Dande, which is designed to steal information from applications that are used by pharmacies and pharmaceutical companies, managed to infect the computers of as many as 400 pharmacies in southern Russia.

Programs of this family target Windows machines. BackDoor.Dande.2 uses two drivers, both of which have a digital signature that is registered to SPВ Group OOO.

The drives that Trojan.Stuxnet installs into a system have digital signatures that were stolen from legitimate software developers. In July, information appeared revealing that signatures belonging to such companies as Realtek Semiconductor Corp. and JMicron Technology Corp. were being used.

The research conducted by the Israeli security expert once again proves that protection based solely on validating file integrity using checksums and certificates cannot be considered failure-proof.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.