The Latest in IT Security

Signed Malware – You can run.But you can’t hide

24
Mar
2012


It’s been over a year now since McAfee became an Intel company and the team and I have been privileged to be a part of designing and developing our DeepSAFE technology, as well as Deep Defender, the first available product that leverages this advancement. Recent threats in-the-news validates what we’ve been working on and this blog serves an update to our followers.

Signed Malware Prevalence

Digitally Signed Malware has received the media attention recently. Indeed over 200,000 new and unique malware binaries discovered in 2012 have valid digital signatures.

Unique Malicious Binares Discovered With Valid Digital Signatures (cumulative starting Jan 2012)

Source: McAfee Labs Sample Database

Why Sign?

Attackers sign malware in an attempt to trick users and admins into trusting the file, but also in an effort to evade detection by security software and circumvent system policies. Much of this malware is signed with stolen certificates, while other binaries are self-signed, or “test signed”. Test signing is sometimes used as part of a social engineering attack.

Which signature is real?

Answer: Well, they’re both real and valid certificates, but one is test signed.

Test Signing

Test Signing is particularly useful to attackers on 64bit Windows, where Microsoft enforces driver signing. By default such drivers will not load. However, Microsoft provides developers with the means of disabling this policy, and malware authors have learned to do the same. 64bit rootkits such as Necurs used by Banker, Advanced PC Shield 2012, and Cridex use this approach to compromise the operating system. To combat this, Deep Defender v1.0.1 blocks Test Signed drivers by default, while allowing EPO administrators to selectively exclude in-house kernel driver developer’s systems as necessary.

This is just one layer of protection of course. Security is about “defense in depth”, from network to silicon. Real time memory monitoring allows Deep Defender to identify the Necurs rootkit as it attempts to compromise the kernel.

Trying to Hide

Being able to observe transient events in memory allows DeepSAFE to get passed obfuscated file views that challenge traditional antivirus solutions.

Case in point is the Mediyes Trojan referenced in the aforementioned press articles. A quick check of our sample database shows over 7,000 unique binaries in this family. Yet memory rules written over a year ago to cover rootkit techniques are able to proactively identify the latest signed attack, 0day.

After the attacks were known, the certificate was revoked

Here DeepSAFE intercepts the malware attempting to modify the write protection bit of the Cr0 control register, as well as install kernel inline hooks on the ZwResumeThread function.

VirusTotal shows traditional file scanning was not very successful against this particular sample (2 out of 43 scanners detecting):

More to Come

For some time now we’ve seen malicious payloads that attempt to steal digital certificates for nefarious purposes and we are likely seeing the fruits of that labor. With so much malware on the line, we are sure to see this signed malware trend continue higher.

P.S. Deep Defender v1.0.1 is currently in beta and is expected to hit the market in Q2. If you’re interested in helping protect the world beyond the OS, we’re hiring.

Leave a reply


Categories

WEDNESDAY, DECEMBER 13, 2017

Featured

Archives

Latest Comments

Social Networks