Cybersecurity

Malware Evading Some Antivirus Using Invalid Certificates?

By Veriato Team

Many antivirus and endpoint security technologies fight a two-front battle. On the one hand, they must block malware threats from executing on the system. On the other hand, they need to avoid falsely detecting legitimate software so they don’t cripple the system or their users’ abilities to use valid software.

One technique antivirus scanners may use to avoid blocking legitimate software is to trust files that are digitally signed by certificates that the security software trusts. For example, most executable files distributed as part of a Windows installation by Microsoft would be digitally signed by a Microsoft certificate. As new versions of software are released through updates or patches the antivirus scanner might check and skip the file thus preventing falses as long as the file is validly signed by the trusted certificate.

A study by University of Maryland Computer Science students, “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI” observed that many unsigned ransomware files that were detected by major antivirus products were no longer detected once invalid digital certificates were appended to the files. The authors believe that “this is due to the fact that AVs take digital signatures into account when filter and prioritize the list of files to scan(sic)…”

This may be correct. It implies that the antivirus scanner isn’t verifying the validity of the certificate on the file and is trusting merely due to its presence in the file. The authors don’t state if the resulting ransomware evasion was verified to be due to a digital certificate trust in the PKI model.

Another possibility is that certain malware detections are specific to exact file hashes (e.g. MD5, SHA256) and thus a modification to the file in the slightest bit – such as appending an invalid X.509 digital certificate to the file – alters the file’s hash and thus will also potentially break the detection.

Either way this does highlight an antivirus evasion technique. Files that contain an invalid digital certificate for a variety of reasons are still allowed to run on a Windows system and the user in most cases would be unaware. The one major exception would be native system drivers which operate in kernel space and are required to have a valid and trusted digital certificate in order to execute.

I altered a tool of my own (not malware) by copying a digital certificate from another valid file and setting the fields in the file header to recognize that certificate structure. A certificate validation check of the file resulted as invalid (TRUST_E_BAD_DIGEST) but the tool still executed with no errors.

Had this been a detected piece of malware, it is possible that the malware would still execute but no longer be detected unless the antivirus rule was more generic. Generic signatures against many modern malware families are difficult to create due to the sophistication of techniques used by malware authors to evade antivirus detection. Detections against many known variants of malware are often very specific. This is how ransomware and other malware often will still get though the strongest of endpoint defenses.

This type of antivirus evasion is not new but does illustrate how modifying any piece of malware in a way that doesn’t affect its original operation can result in its undetected reuse, signed or not.

If an antivirus product is trusting digitally-signed files with invalid certificates, this has additional ramifications. Malware could trivially append a Microsoft, Adobe or Oracle certificate and masquerade as legitimate software with impunity. For most antivirus products, the evasion or change in detection may only be the result of a change in the file’s hash after the modification and unrelated to digital certificates specifically.

How to Rebrand
“Bossware”at Your
Company

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Quis ipsum suspendisse ultrices gravida. Risus

About the author

Veriato Team
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Quis ipsum suspendisse ultrices gravida.

Employee Monitoring Resources

The Myths and Truths of Employee Monitoring

The Myths and Truths of Employee Monitoring

Early in the pandemic, searches related to “how to monitor employees working from home” increased by 1,705%. Without the oversight of managers in an office setting, many companies are concerned that their employees are less productive, and that there is an increase...

When To be Suspicious About Work-From-Home Employees (or Not)

When To be Suspicious About Work-From-Home Employees (or Not)

Perhaps someone doesn’t answer a Slack message as quickly as they should, or they have long hours blocked on their calendar. Maybe someone doesn’t seem motivated during team meetings or they are slow to complete work. While research has shown that overall,...

Avoid These Employee Monitoring Blunders

Avoid These Employee Monitoring Blunders

In September 2021, 45% of full-time employees were still working remotely, and the trend is hard to reverse. People like the freedom of working from home. Without a commute, they save time. Without a boss looming in the background, they can multi-task at home. And,...