12:52 Digital signatures in executable files and bypassing this protection to malware | |
Habraprivet Well, sort of like not resolve issues of karma, but they do not relate to anybody to read today's topic, but only account for a delay of its release into the light (the initial plans were in November last year) . Today I offer you the quick overview of the system of electronic signatures of executable files and how to crawl and falsification of the system. There will also be examined in detail one of the very effective ways to work around. Despite the fact that the described infe for several months already know nothing about it all. manufacturers of products described below have been notified of the description of the materials, so that the solution to this problem, if indeed they consider it a challenge to their responsibilities. Because time was enough. THEORY The idea and technology electronic signature for executable files originated in the era of Windows NT. C the onset of Windows Vista, Microsoft began an active campaign to promote this technology. As planned by the manufacturer, signed code can only go from a trusted author of this code, and therefore guaranteed not to harm the system and protected from errors (three haha ??). Nevertheless, since signature mechanism is most often used rather complicated kriptoustoychivy mechanism, the overall credibility of the signed code to spread. Do not leave it off and anti-virus vendors. It's true: if the code is signed, it clearly can not be a virus, but because he can be trusted a priori, thereby reducing the likelihood of false positives. Therefore, in most modern anti-virus products by default is bypassing the validation of signed files, which increases the scanning speed and reduces the likelihood of false positives. Moreover, often signed by the program are automatically entered into the category of "trusted" behavioral analyzer aka Hipps. It is becoming clear that in signing their creations valid signature virusmeyker gets quite a rich audience of customers who, even with an active and regularly updated anti-virus contamination occurs. Obviously, this is - a very tasty morsel that is easily noticeable in the case had already become famous virus Stuxnet, where the code was signed by valid certificates Realtek (later reported, and about the signatures on the JMicron). But this approach has a downside: after identifying the compromised signature is immediately revoked, and by the very fact of signing the AV-vendors put a signature detection, saying that with the 100% trigger. Given the fact that buy stolen certificate needed to sign a very expensive it is clear that virusmeykery interested in the total bypass signature checking mechanism without valid private-key or by using self-generate such keys. This would circumvent the protection of not only anti-virus products, but also install the driver, and ActiveX-components without notice, and indeed as- then break into the x64 world, where no signature nothing to install at all. But about this - more in practice. PRACTICE One of the great said that to get ahead of the enemy, we must start thinking as he is. So, if we virusmeykery, what can we do? 1. Copy the certificate information from some clean file. This is the most popular method at this time. copied signature details to the smallest details up to a chain of trusted publishers. It is clear that such copy is valid only on the user's eye. But the fact that displays the OS may very well confuse an inexperienced and be perceived as another bug - still would be if all the publishers are right, then why is the signature is invalid ? Alas - they are the majority. 2. using self-signed certificates with feykovym name. Similarly, the above described embodiment, except that not even the chain is copied in the certification path. 3. fake MD5 . Despite the fact that the weakness of MD5 algorithm has long been documented (here and here), it is still often used in electronic signatures. However, real examples of hacking MD5 concerned or very small files, or lead to malfunction code. In practice, there are viruses hacked with fake signatures on the algorithm MD5, but nevertheless this method is possible in theory. 4. Obtain a certificate of customary procedure and use it for malicious purposes. One of the most common methods of authors so-called riskware, adware and antivirus feykovyh. An example would be feykovy Perfect Defender (standard divorce: "scan for free - you have a virus - pay us and we'll delete ') exists with the signatures of several offices: Jeansovi llc Perfect Software llc Sovinsky llc Trambambon llc How this is done well can tell our native vinlokerov developers, small letters, writing about the "joke programs, etc., thus preserving from articles on fraud charges. ... And so there are I wonder what is real there is absolutely normal programs with names of owners: Verified Software Genuine Software Update Limited Browser plugin It is clear that if they believe it, you make a mistake at first glance at the certificate is simple. It should also be noted that by no means easy to obtain the signature of the certification centers. RapidSSL for example to test uses a simple e-mail. If the correspondence is from addresses like admin , administrator, hostmaster, info, is, it, mis, postmaster, root, ssladmin, ssladministrator, sslwebmaster, sysadmin or webmaster@somedomain.com - it is obvious that wrote the owner of the domain, right? (more three haha ??). And here is a nice company Digital River (DR), hunted outsourcing and e-commerce generally provide certificates to all its clients. No wonder that MSNSpyMonitor, WinFixer, QuickKeyLogger, ErrorSafe, ESurveiller, SpyBuddy, TotalSpy, Spynomore, Spypal and generally about 0.6% of all signed DR files are Malvar, and are potentially undesirable and even more - more than 5% of all signed DR files. In fairness, I note that the x64 driver signing is not so simply, in this case until the violations are not observed. 5. Find some trusted employee of the company and ask them to sign your code. No comment. Everyone loves money. The only question is the sum of:) 6. Steal certificate. At this point we know three large family of Trojans, "imprisoned", in particular by the abduction of the certificates. This: Adrenalin Ursnif Zeus SpyEye (maybe) Still not yet seen mass cases of stolen certificates in the new versions of these Trojans. Maybe it's trump card up his sleeve? Time will tell ... 7. Infecting the system design and deploy a trusted developer of the malicious code in the release before signing. A striking example of such an infection - a virus-concept Induc.a. The virus injects code at compile time, infecting the system design. As a result, the developer does not even know that the program appeared invisible "appendage." Release is signed and is published with the full certificate. See a gopher? And it is! ;) Fortunately, Induc.a is only a PoC, using only infected systems development without implementing any additional malware was functional. And now - promised snacks. Vulnerable or How I spent this summer As you can see, choices circumvent a lot of signatures. In our example, would be considered a modified version of 1 and 2 above. So, what do we need? MakeCert.exe cert2spc.exe sign.exe ruki.sys mozg.dll I think that for habrachitatelya not be difficult to find these components but for the most lazy post the first three here. The latter two do not spread in mind tight binding to iron, total lack of specificity and cross-platform code:) So, let's create a certificate of a trusted publisher. Try to copy the best information on the same VeriSign: MakeCert.exe - # 7300940696719857889 - $ commercial-n CN = "VeriSign Class 3 Code Signing 2009-2 CA"-a sha1-sky signature-l "https: / / www.verisign.com / rpa "-cy authority-m 12-h two-len 1024-eku 1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3-r-sv veri.pvk veri. cer Upon completion we will get veri.pvk and veri.cer, suitable for signing. Now create the child received a certificate with just: MakeCert.exe - # 8928659211875058207 - $ commercial-n CN = "Home Sweet Home"-a sha1-sky signature-l "http://habrahabr . ru / "-ic veri.cer-iv veri.pvk-cy end-m 12-h two-len 1024-eku 1.3.6.1.5.5.7.3.3-sv kl.pvk kl.cer B finally obtain kl.pvk and kl.cer, which will be trusted certificates from untrusted publisher. Chain is long, zadurivaya naive user. But the outcome will be the same: the certificate is valid, because the chain is an untrusted element. BUT! Windows has the ability to install any certificate, including a self-signed, as a trustee. It's convenient: in some cases, the developer can make a self-signed certificate, enter it in the trusted and easy to work with their applications. In our case it is doubly convenient, because this installment of the - obviously, the simple input of information into the registry. at what information is not specific to a particular system. Install on our test Dev monitor any registry key, and then make our desired certificate from VeriSign alleged to trusted. Track, where there was a change - and voila! We can make a dump of the relevant branch of the registry, and then shove it in the installer. In total, our installer is making the roster Old, automatically converting a primary certificate in the trusted publisher and validiruya the entire chain. To finally discover all of the cards will only say that in my case, dump the registry has the form Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ SystemCertificates \ AuthRoot \ Certificates \ A61F9F1A51BBCA24218F9D14611AFBA61B86C14C] "Blob" = hex: 04,00,00 ,..... Well, or if only the current user, then Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER \ Software \ Microsoft \ SystemCertificates \ Root \ Certificates \ A61F9F1A51BBCA24218F9D14611AFBA61B86C14C] "Blob" = hex : 04,00,00 ,..... After making the roster this data, the program with feykovoy chain signature machine was tested on sigverif.exe. Well sign our code with a certificate at all easy, just batch file: cert2spc.exe kl.cer kl.spc sign.exe-spc kl.spc-v kl.pvk-n "My Installer "-i" http://habrahabr.ru "-ky signature - $ commercial-a sha1-t" http://timestamp.verisign.com/scripts/timstamp.dll "myprogram.exe del kl. spc Note the use of taymstampa timestamp.verisign.com / scripts / timstamp.dll - theoretically it is possible to use our own server on your own domain, allowing each time to see that someone has to verify the signature of our program on your computer and so obtain their IP and time of verification. The truth is convenient? ;) The funny thing is that at the time of writing the material in the distant October and November of 2010, Kaspersky Internet Security 2011 does not track these branches of the registry, and checks the validity of the chain left to the discretion of the OS, which we quite simply cheated. I do not know that now, but it seems like some of the branches have blocked ... Check to unsubscribe! It should be noted that for prostanovki signatures may be used and specific, unavailable in public software. It is clear that the signature does not break, but gives much more flexibility in filling in the X500, better yet gives the appearance of validity. Here you can download a curious example. The archive - a popular file replacement Notebook bred3_2k (ofsayta) with and without the signature of Microsoft:) To complete the signature was valid, it suffices to make the registry changes, as contained in your key +. Reg. Similarly, the file key -. reg, these changes are discarded. Trace the path of certification - he was curious:) Just pay attention that the author of "Example" prescribes taymstamp own server, so that any manipulation will lead to the fact that the author finds out your IP - and further, as described. If you prefer, you can keep track of these requests, and unsubscribe in the comments) If need be, in the next article I will describe how to configure Hipps to protect by appropriate branches of the registry to avoid the introduction of certificates as described in the trustees. Unsubscribe in the comments - it is possible that this vulnerability is already fixed a. In article incorporates presentations Jarno Niemela (F-Secure). | |
|
| |
| Total comments: 0 | |