Maksim Kabakou - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Preventing Microsoft's Authenticode from spreading stealth malware

A Microsoft Authenticode vulnerability allowed malicious code to sneak through without invalidating a file's digital signature. Expert Nick Lewis explains how to address this flaw.

Adding new functionality to a system increases its attack surface, regardless of how small the addition is -- even mature software development practices with security built in and systems developed using formal methods will have vulnerabilities in them. As software gets more complex, it becomes more difficult to identify all the vulnerabilities in a system. While Microsoft has devoted significant resources to secure software development, the Deep Instinct research team identified a vulnerability in Microsoft's Authenticode that allowed for malicious code to be executed.

This tip will explore this Authenticode vulnerability and issues with digital signatures in general, as well as how to address them with enterprise protections.

The Microsoft Authenticode vulnerability

Microsoft's Authenticode allows developers to include information about themselves and their code in their programs by using digital signatures. The digital signature uses a code-signing certificate issued to a developer or an organization from a certificate authority. This additional information helps an enterprise determine if the software is legitimate. Microsoft added this functionality to combat malware by preventing unauthorized files from executing.

The Deep Instinct research team studied packers -- tools that transform executables into different executables -- and the Windows portable executable format and found that only three parts of the PE file were included in the hash used in the signature during validation with Authenticode. The researchers discovered a part of the file where they could store malicious code that didn't invalidate the signature on the file, which the operating system runs when the main part of the file is executed. This required changing the PE file headers and controlling the execution order of different portions of the file. As part of the attack, the team developed a reflective PE loader to execute PE files directly from memory. This allowed the malicious code to run in context with the user that executed the file.

Packers will make changes to the file and the PE headers to evade detection by antimalware tools, without making significant changes to the underlying code. Legitimate software developers may use packers or other tools to protect their intellectual property contained in the executable but don't need to make these types of edits to the PE file headers.

The Deep Instinct research team closed out its whitepaper with a comment about how more attackers have been chaining vulnerabilities to bypass all security protections, which potentially has led to the rise in sophisticated toolkits. While script kiddies just used to download a working exploit and develop their own attacks, the new generation has much more powerful tools to use in attacks against more secured systems.

Other attacks like DLL preloading or using scripting capabilities built into Adobe Reader, Flash or Microsoft Office can be used to achieve similar results. There have also been other attacks on Microsoft Authenticode where malicious files were signed by a fraudulent or stolen certificate.

Enterprise protections

Enterprises with mature information security programs can take measures to ensure they are protected from stealth malware using this attack. An attacker's first step in this exploit is to get code executed on the endpoint. This could be done through a phishing attack where an individual opens a malicious attachment or could be executed via a vulnerability in a web browser. Standard endpoint antimalware recommendations should be followed to prevent this step.

Whitelisting can also be used to only allow approved executables to run on a system to prevent a malicious signed file from executing. The enterprise would need to vet the approved executables to ensure no malware was whitelisted. Enterprises should verify that the MD5/SHA-1 hashes used, when available from software vendors independent from Authenticode, are calculated by examining the entire file and not just parts of the file. While some parts of the file might need to change over time, the MD5/SHA-1 hash can alone be updated by the software manufacturer. This would help identify files changed after they were published and prompt further investigation to see if the files were malicious. Currently, not many developers publish MD5/SHA-1 hashes like this, but publishing them on the download page could address this vulnerability. Microsoft may even want to re-evaluate how Authenticode signs files and ensure any part of a file that can execute code is included in the signature.

Enterprises that still rely on conventional security products that use signature checks will need to ensure their tools are updated with signatures that detect the exploit. An endpoint security tool will need to add a signature for stealth malware using this technique or a signature to check if there is data stored in the PE file header that would identify the malicious file. Enterprises that use anomaly detection tools could also detect malware using this technique -- the file that executes on the system would have unusual data stored in the PE file headers or the checksum of the file wouldn't match the size of the file.

Multilayered security controls are necessary to ensure that if a system is compromised during an attack using an executable file hiding malware, the compromised system will not impact the overall network. The addition of Microsoft's Authenticode was a significant advancement in protecting endpoints and expanded the potential protections for an endpoint. The research presented by the Deep Instinct research team will help enterprises identify additional checks to find where malware could hide.

Next Steps

Find out how your enterprise can mitigate the risks of digitally signed malware

Read how your company may be affected by vulnerabilities in antivirus tools

Learn about the best methods for malware removal

This was last published in November 2016

Dig Deeper on PKI and digital certificates