Signed Malware: You Can Run, But You Can’t Hide

It’s been more than a year since McAfee became an Intel company, and the team and I have been privileged to be a part of designing and developing our DeepSAFE technology, as well as Deep Defender, the first available product that leverages this advancement. Recent threats in the news validate what we’ve been working on, and this blog serves an update to our followers.

Signed Malware Prevalence

Digitally signed malware has received a lot of media attention recently. Indeed more than 200,000 new and unique malware binaries discovered in 2012 have valid digital signatures.

Unique Malicious Binares Discovered With Valid Digital Signatures (cumulative starting Jan 2012)

Source: McAfee Labs Sample Database

Why Sign?

Attackers sign malware in an attempt to trick users and admins into trusting the file, but also in an effort to evade detection by security software and circumvent system policies. Much of this malware is signed with stolen certificates, while other binaries are self-signed or “test signed.” Test signing is sometimes used as part of a social engineering attack.

Which signature is real?

Answer: They’re both real and valid certificates, but one is test signed.

Test Signing

Test signing is particularly useful to attackers on 64-bit Windows, on which Microsoft enforces driver signing. By default such drivers will not load. However, Microsoft provides developers with the means of disabling this policy, and malware authors have learned to do the same. Rootkits on 64-bit Windows–such as Necurs used by Banker, Advanced PC Shield 2012, and Cridex–use this approach to compromise the operating system. To combat this, Deep Defender Version 1.0.1 blocks test-signed drivers by default, while allowing ePO administrators to selectively exclude in-house kernel driver developer’s systems as necessary.

This is just one layer of protection, of course. Security is about “defense in depth,” from network to silicon. Real-time memory monitoring allows Deep Defender to identify the Necurs rootkit as it attempts to compromise the kernel.

Trying to Hide

Being able to observe transient events in memory allows DeepSAFE to get past obfuscated file views that challenge traditional antivirus solutions.

Case in point is the Mediyes Trojan referenced in the aforementioned press articles. A quick check of our sample database shows more than 7,000 unique binaries in this family. Yet memory rules written over a year ago to cover rootkit techniques are able to proactively identify the latest signed attack, even as a zero day.

After the attacks were known, the certificate was revoked

Here DeepSAFE intercepts the malware attempting to modify the write-protection bit of the Cr0 control register, as well as install kernel inline hooks on the ZwResumeThread function.

VirusTotal shows traditional file scanning was not very successful against this particular sample (just two out of 43 scanners detecting):

More to Come

For some time we’ve seen malicious payloads that attempt to steal digital certificates for nefarious purposes, and we are likely seeing the fruits of that labor. With so much malware online, we are sure to see this trend of signed malware continue and increase.

P.S. Deep Defender Version 1.0.1 is currently in beta and is expected to hit the market in Q2. If you’re interested in helping protect the world beyond the OS, we’re hiring.