Validating the integrity and authenticity of code in Microsoft applications is important given their near-ubiquity in the enterprise. One mechanism for doing so is a digitally signed file that is supposed to help Windows operating systems run validated code from known good developers. One problem: The mechanism can potentially be bypassed and an attacker can hide malware inside of legitimately signed executables, according to security firm Deep Instinct
Tom Nipravsky, security researcher at Deep Instinct, presented his research in a talk at the Black Hat USA conference. In an interview with eSecurityPlanet, Nipravsky explained that his research started with a simple question: Can you really trust a digitally signed PE (portable executable) file?
PE files are widely used in Microsoft Windows operating systems to deliver executables, as well as font files and DLLs (dynamic link libraries). Nipravsky and Deep Instinct developed a reflective PE loader, which was able to inject malicious code into a digitally signed PE file. The maliciously manipulated file was then able to run unhindered and undetected on the target Windows system.
Multiple fields make up the logical structure of a PE file. In order to cryptographically sign the file, Windows calculates a hash or value based on some, but not all, of the fields. Nipravsky and his reflective PE loader abuse the fact that some fields are not part of the hash. As such, he was able to demonstrate that by injecting data into some of the non-hashed fields, a PE file can be manipulated and injected with malicious code.
“The reflective PE loader provides the ability to execute files directly from memory and not from disk,” Nipravsky explained.
In a demo, Nipravsky showed how the technique could be injected into a PE file signed by Microsoft and was not detected by anti-virus technologies as malicious or altered in any way.
“Windows still thinks it’s a valid certificate,” Nipravsky said.
The ability to manipulate PE files is present on all versions of Windows that support Authenticode, which is Microsoft’s digital certificate technology. From a defender perspective, Nipravsky said it is incumbent upon Microsoft to make sure that additional data isn’t added to the PE file.
Nipravsky emphasized that he’s not aware of the PE file signature bypass being used in the wild by attackers. Additionally he noted that he has not released an attack tool that would enable an attacker to actually execute the type of attack he has described as being possible.
An additional motive for seeing if PE file injection was possible was to test the efficacy of the Deep Instinct platform, which is a next generation malware detection technology. Nipravsky’s main role at Deep Instinct is to challenge the company’s products to make them more resilient to different types of attacks. Deep Instinct’s platform is able to detect a malicious PE file that has been injected via reflective PE loader, he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.