Stopping Certified Malware

Malware authors frequently add signatures from expired or compromised certificates to bypass AV products that don’t validate those signatures correctly. Last week, researchers from the University of Maryland presented evidence that this technique is much more widespread than previously believed. Their research was highlighted at the ACM Conference on Computer and Communications Security and in an Ars Technica article. In addition to measuring the prevalence of this technique, the researchers also used it themselves to add two different expired certificates to five malicious ransomware samples. Obviously, just adding a digital signature, expired or not, to a piece of malware does not render it benign. However, according to the researchers, this technique fooled some big names in the industry including Crowdstrike, SentinelOne, Malwarebytes, TrendMicro, Microsoft, Symantec, Kaspersky, and Sophos.  MalwareScoreTM was one of the AV engines to successfully label each of the ten newly created samples as malicious. How did Endgame’s MalwareScoreTM pass the researchers’ test?

First, let’s review the purpose of signatures and certificates in allowing users to trust executable code. Certificates for signing code come from the same system and trust architecture as those used for HTTPS connections on websites. When executable code is properly signed with these certificates, it has been certified to originate from the organization that was issued the certificate and hasn’t been tampered with since. When certificates for code signing are issued, they're given an expiration date much like many organizations have a password expiration date. In order to prevent signed code from expiring with the certificate, as an optional step, a signed timestamp with the time and date of the signature can be attached. The timestamp is generally issued by a time server run by the Certificate Authority that issued the certificate. If a signed timestamp is not attached, then the signature should be considered invalid if the certificate that signed it is expired. This allows verification that the code was signed while the certificate was valid. As long as all of the pieces of information are there, the signature can be validated even after a signature has expired.

The researchers found that many AV engines were fooled by signatures that could not be validated. MalwareScoreTM, a machine learning based engine for detecting malicious executables, was not fooled. There are two main reasons for this. First, the features extracted from the tens of millions of training samples do not include information about the signature. The features are focused on a range of features, such as libraries imported, functions exported, and the name, size, and complexity of all the sections in the PE file. Since we do not train on signatures and certificates such as those used in these attacks, MalwareScoreTM is not fooled when invalid or expired signatures are added to a file, and returns an accurate label despite their presence.

Finding malicious executables is a tough enough problem that we complement our machine learning decisions with limited whitelisting on hashes and signatures. This added layer helps reduce false positives on customer deployments. Imprecise validation of certificates could have led us to trust some of the invalid signatures added to the ransomware tested by the researchers and falsely label them benign. Limiting the certificates that we whitelist, and thoroughly testing our certificate validation code gives us confidence that our whitelisting only affects legitimate software. The research presented last week by the University of Maryland provides us additional confirmation that our approach helps detect a broad range of techniques while still keeping the false positives low.

MalwareScoreTM has already been tested by many independent agencies and we’re happy that these academic researchers determined our malware detection capability to be resilient against a particular attack. We also continually and rigorously test MalwareScoreTM internally to validate that it’s the best AV engine on the market. However, it is important to remember that no single protection method is perfect. That is why Endgame pairs MalwareScoreTM with other industry- leading protections for process injection, privilege escalation, credential theft, and many others. Endgame’s layered approach to security is the most effective at stopping a broad range of attack vectors. As the University of Maryland research confirmed, this includes stopping the latest creative malware-based attacks that slip through other AV solutions, but are quickly detected within the Endgame platform.