According to Google researchers, malware makers are generating fake code signatures that appear to be valid in Windows to get around protection measures.
This method is actively used to spread OpenSUpdater, a family of unwanted software known as riskware. It injects advertisements into victims’ browsers and installs other unnecessary programs on their machines.
The majority of the targets are from the United States, mostly users looking to obtain game cracks and pirated software.
About a month ago, a Google Threat Analysis Group (TAG) security researcher found that the creators of adware known as OpenSUpdater began signing their packages with valid but purposely flawed certificates, which Windows accepted but OpenSSL refused.
By disrupting OpenSSL’s certificate interpretation (which will be unable to decode and verify digital signatures), some security systems would not identify the malware samples that use OpenSSL-based detection criteria and permitted to carry out their harmful operations on the computers of their victims.
The researcher said that OpenSUpdater samples had an incorrect signature since mid-August, and additional analysis revealed that this was a deliberate attempt to avoid detection.
This encoding will be rejected as invalid by security solutions that use OpenSSL to extract signature information. The digital signature of the binary, on the other hand, will look authentic and valid to a parser that supports these encodings. That last part allows OpenSUpdater to get beyond security protections, allowing samples to run without problems on a victim’s device.
It happens because security solutions that parse digital signatures using OpenSSL would almost overlook the samples’ dangerous nature since the signature information will be considered invalid and rejected, confounding and disrupting the malware scan process.
TAG has never seen actors use this approach to escape detection while keeping a valid digital signature on PE files. The Google TAG researcher has also contacted Microsoft to report this detection evasion method after identifying the problem.