Google researchers have warned that hackers are now using flawed digital signatures to bypass detection in Windows security software.
In a report released Thursday on The Digital Hacker, the tech giant's threat analysis group (TAG) said hackers "created malformed code signatures" that would be considered as "valid by Windows" but could not be detected by OpenSSL code used in security scanners.
New Technique Allows Malware to Download and Install on PCs without Detection
The researchers discovered that the OpenSUpdater line of software utilizes this new technique. Described as riskware, OpenSUpdater shows ads on victims' browsers and then installs unwanted programs into their PCs. Most of the targeted victims of OpenSUpdater attacks are U.S.-based users prone to downloading cracked games.
Information about these breaches emanate from OpenSUpdater samples sent to VirusTotal since August.
Financially motivated hackers would execute coordinated malware attacks to as many devices as possible, Bleeping Computer revealed.
Google TAG researcher Neel Mehta discovered that OpenSUpdater developers began signing samples with valid but purposely malformed certificates, which were accepted by Windows but disallowed by OpenSSL. Because of this, they would break certificate parsing for OpenSSL resulting in the inability to decode and check the digital signatures. As such, these malicious programs won't be identified by security offerings with OpenSSL-powered policies, thereby allowing them to perform unwarranted tasks on a victim's device or PC.
Mehta stressed that since August, OpenSUpdater samples have shown an invalid signature, and his group further discovered that this was done on purpose to avoid detection. OpenSSL-powered security products that extract signature information will "reject this encoding as invalid," Mehta said on The Digital Hacker. But for a parser that would allow such encodings, the binary digital signature "will otherwise appear legitimate and valid," Mehta added.
The final part of the attack is allowing OpenSUpdater to breach security defenses, deploying and launching the samples on a victim's computer without any issues. This is possible because the OpenSSL-powered security solutions that parses digital signatures will bypass the samples' maliciousness. It will reject the signature information as invalid, thereby obscuring and disrupting the malware detection process.
Since Google TAG first discovered the new hacking technique, OpenSUpdater developers have attempted to push other variations on invalid encodings to further avoid detection, Mehta added.
Mehta emphasized that the dubious activity is the first time Google TAG monitored hackers using the technique to avoid detection "while preserving a valid digital signature on PE (portable executable) files."
Google Alerts Microsoft About New Hacking Technique, Calls On Users to Download and Install Genuine Software
Following their discovery, Mehta and the Google TAG reached out to Microsoft to inform them about this new breaching tactic.
Google TAG is presently collaborating with the search titan's Safe Browsing team to impede OpenSUpdater from further spreading onto PCs and devices. It also urged users to only download and install software from accredited, genuine and trustworthy sources.