Analysis of malicious software detection mechanism bypass by SHA-1 and SHA-2 combination

Source: Internet
Author: User

Analysis of malicious software detection mechanism bypass by SHA-1 and SHA-2 combination

Symantec recently posted on its blog that it is aware of a disturbing attack trend in malware. After stealing a normal SHA-2 certificate, malware can survive more easily.

SHA-1 is insecure.

This change is part of the evolution of malware. After all, SHA-1 has been targeted by security companies. Malware wants to use this method to make infected systems think they are normal code. If the system is as expected, malware will have a higher probability of escaping from detection.

Microsoft has announced that it will give up support for SHA-1 Signed files in some cases after January 1, 2016. The creators of malware responded that they would join the stolen SHA-2 certificate.

Symantec mentioned the old bank Trojan. Carberp. B, which has been applied after self-modification. This type of content usually embeds an infected attachment in an email document and uses ATTN 00890 as the title. Of course, this email and attachment use the language for the accounting department.

The infected attachment contains a malicious macro that uses ROT13 encryption, which allows the infected machine to download a signed binary file from a server in Mauritius: sexit.exe, and perform automatic installation.

SHA-2 may have its own problems

Researchers found that sexit.exe signed two signatures, one based on SHA-1 and the other based on SHA-2, all to escape operating system security detection. Using a SHA-1 certificate alone may not be accepted by the new operating system, but using a SHA-2 certificate alone will not be accepted by older systems (such as Windows XP sp3 ).

Of course, there is a benefit to doing so. After the SHA-1 certificate is found to be forged by signature verification, we also have a SHA-2 certificate as a backup.

The rise of this technology shows how malware creators adapt to new certificate rules. Of course, it will not spread immediately, because the creators still need to study how to be compatible with old systems, but it will come soon.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.