Researchers Hide Malware Inside Digitally-Signed Files Without Breaking Hashes

Share this…

New technique makes malware detection almost impossible. A team of security researchers from Deep Instinct have discovered a method of injecting malware inside a digitally-signed binary without affecting the overall file hash, which almost certainly ensures that antivirus and security software won’t detect the malicious file.

When users double-click an executable and launch it into execution, Windows does three things. It first reads the file’s PE headers, validates the certificate, and validate’s the file hash.

After reverse engineering this entire process, the Deep Instinct team discovered that Windows does not include three fields from the PE headers in the file hash validation process and that modifying these three fields does not break the certificate’s validity.

Researchers first made the file undetectable

The fields are the file’s Checksum, the IMAGE_DIRECTORY_ENTRY_SECURITY field from the DataDirectory section, and the file’s attribute certificate table.

In proof-of-concept code they did not reveal for obvious reasons, the research team inserted malicious code inside the attribute certificate table, successfully leaving the digital certificate and the file hash intact.

This method is so efficient that malware coders do not even need to hide their malicious code via packers (code obfuscators). The reason is that antivirus and security software automatically ignores any digitally-signed file.

By leaving the file hash intact, this technique also bypasses any secondary checks security software might perform besides checking for a digital certificate.

Then they found a method to run the malicious code

Researchers also bypassed the problem of not being able to launch into execution malicious code from a file’s attribute certificate table, which resides in the file’s digital certificate.

“Having a malicious file in the disk without having it identified is nice, but having nothing to do with it makes it less interesting,” the research team explained in their recent Black Hat presentation. “That is the reason why we wrote a Reflective PE Loader: to execute PE files directly from memory.”

Despite their success, the Deep Instinct team said their Reflective PE Loader does not support 64-bit architectures, at least for now.

For malware authors, the research of the Deep Instinct team is the Holy Grail of malware coding, providing the perfect method to hide malicious code in plain sight, right in the digital certificate, the file section that’s supposed to authenticate a file’s origin and safeguard users from malware.

A clean file on the left, and an infected file on the right. Same hash.