Google researchers are warning that hackers are now using a flaw in digital signatures to bypass detection in Windows security. OpenSUpdater software uses this new technique.
Malware devs create malformed code signatures that appear to be valid when recognized by Windows. But the malware can’t be detected by the OpenSSL code used in its security scanners. And windows accepts, and OpenSSL rejects.
This tactic is actively used to push OpenSUpdater, classified as a form of riskware, to inject ads into victims’ browsers. And it also installs other malware onto their devices and PCs.
Because the OpenSSL-powered security solutions that parse digital signatures will bypass the samples’ maliciousness. It rejects the signature information as invalid, disrupting the malware detection process.
Once downloaded the adware program is impossible to control. And it shows you unwanted ads, as you try to browse the web.
Information about these breaches comes from OpenSUpdater samples sent to VirusTotal.
OpenSUpdater report from Google alerts Microsoft
A report from the tech giant’s threat analysis group (TAG) was published on The Digital Hacker Thursday. The breaching issue was discovered by Google TAG researcher Neel Mehta.
“Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection,” Mehta explains.
“Security products using OpenSSL to extract signature information will reject this encoding as invalid.
“However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid.”
Since Google TAG first discovered this hacking technique, OpenSUpdater developers have attempted to vary it on invalid encodings to make it even harder to detect, Mehta added.
Microsoft working on a fix
The majority of those targeted by OpenSUpdater attacks are U.S.-based users who download cracked games. Hackers that are financially motivated execute coordinated malware attacks on a large number of devices, reports Bleeping Computer.
Microsoft Defender Antivirus detects and removes this new threat.
Google TAG is presently collaborating with the Microsoft Safe Browsing team to stop OpenSUpdater from spreading onto more devices. And it’s urging its users to make sure they download and install software from genuine and trustworthy sources.