Analysis of malicious software detection mechanism bypass by SHA-1 and SHA-2 combination

Analysis of malicious software detection mechanism bypass by SHA-1 and SHA-2 combination

Symantec recently posted on its blog that it is aware of a disturbing attack trend in malware. After stealing a normal SHA-2 certificate, malware can survive more easily.

SHA-1 is insecure.

This change is part of the evolution of malware. After all, SHA-1 has been targeted by security companies. Malware wants to use this method to make infected systems think they are normal code. If the system is as expected, malware will have a higher probability of escaping from detection.

Microsoft has announced that it will give up support for SHA-1 Signed files in some cases after January 1, 2016. The creators of malware responded that they would join the stolen SHA-2 certificate.

Symantec mentioned the old bank Trojan. Carberp. B, which has been applied after self-modification. This type of content usually embeds an infected attachment in an email document and uses ATTN 00890 as the title. Of course, this email and attachment use the language for the accounting department.

The infected attachment contains a malicious macro that uses ROT13 encryption, which allows the infected machine to download a signed binary file from a server in Mauritius: sexit.exe, and perform automatic installation.

SHA-2 may have its own problems

Researchers found that sexit.exe signed two signatures, one based on SHA-1 and the other based on SHA-2, all to escape operating system security detection. Using a SHA-1 certificate alone may not be accepted by the new operating system, but using a SHA-2 certificate alone will not be accepted by older systems (such as Windows XP sp3 ).

Of course, there is a benefit to doing so. After the SHA-1 certificate is found to be forged by signature verification, we also have a SHA-2 certificate as a backup.

The rise of this technology shows how malware creators adapt to new certificate rules. Of course, it will not spread immediately, because the creators still need to study how to be compatible with old systems, but it will come soon.