Security News > 2021 > September > Malware devs trick Windows validation with malformed certs
Google researchers spotted malware developers creating malformed code signatures seen as valid in Windows to bypass security software.
Roughly a month ago, Google Threat Analysis Group security researcher Neel Mehta discovered that the developers of an unwanted software known as OpenSUpdater started signing their samples with legitimate but intentionally malformed certificates, accepted by Windows but rejected by OpenSSL. By breaking certificate parsing for OpenSSL, the malicious samples would not be detected by some security solutions that use OpenSSL-powered detection rules and allowed to perform their malicious tasks on victims' PCs. "Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection," Mehta said.
"Security products using OpenSSL to extract signature information will reject this encoding as invalid."
This happens because security solutions that use OpenSSL to parse digital signatures will virtually ignore the samples' malicious nature because they will reject the signature information as invalid, confusing and breaking the malware scan process.
Google TAG is currently working with the Google Safe Browsing team to block this family of unwanted software from further spreading onto other victims' computers.
The security research also urged Google users to download and install software only from trustworthy sources.
News URL
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)