Malware creators have figured out a clever new way to hoodwink Windows 10

Researchers believe it could be the first instance of malware fooling security with valid certificates

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Googleresearchers have spottedmalwaredevelopers employing a novel trick to confuse and breakWindows 10malware scans by using deliberately malformed signatures on valid certificates.

Cybersecurityresearcher with Google’s Threat Analysis Group (TAG) Neel Mehta hasshared detailsabout the new trick that’s employed by the developers of the OpenSUpdater malware.

Mehta observed samples of the malware signed with legitimate but intentionally malformed certificates, which confused the scanning mechanism since the certificates were accepted by Windows, but rejected by OpenSSL.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid,” notes Mehta.

Novel approach

Decoding the technical wizardry behind the ploy,BleepingComputerexplains that in essence the technique breaks certificate parsing for OpenSSL, preventing parsers from decoding the digital signatures to check their authenticity.

This enables the malicious samples to avoid detection by security solutions that use OpenSSL-powered detection rules, giving them unimpeded access to their victim’s computer.

Mehta adds that the technique is perhaps the first instance of threat actors using this technique to evade detection. Moreover, so far the technique is only being used by the authors of the OpenSUpdater malware, to inject ads into victims' browsers and install other unwanted programs onto their devices.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, since first discovering this activity, OpenSUpdater’s authors have tried other variations of invalid encodings to further evade detection.

Google TAG has also reported the innovative evasion tactic toMicrosoft, even as they work with the Google Safe Browsing team to block this family of unwanted software.

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

How to turn off Meta AI