Hackers find a new way to make Malware Undetected on Windows

Amol Rangari
5 min readJan 22, 2022

--

The new approach was discovered to be utilised by the OpenSUpdater, which is known for downloading and installing other suspicious apps on infected devices. The majority of the campaign’s targets are people in the United States who are prone to downloading cracked games and other grey-area products.

The information comes from a group of OpenSUpdater samples that have been uploaded to Antiviruses since at least mid-August.

Adversaries have used illegally obtained digital certificates to get adware and other unwanted software past malware detection tools, or poisoned the software supply chain by embedding the attack code into digitally signed, trusted software components, OpenSUpdater stands out for its deliberate use of malformed signatures to get past defences.

The artefacts are signed using an invalid leaf X.509 certificate that has been altered to contain an End-of-Content (EOC) marker instead of a NULL tag in the SignatureAlgorithm field’s ‘parameters’ element. Although programmes that use OpenSSL to acquire signature information reject such encodings as incorrect, tests on Windows PCs would allow the file to be run without any security warnings.

Techniques hackers use to attack antivirus softwares

  • Code packing and encryption: Most worms and Trojan viruses are compressed and encrypted. Hackers also create custom tools for packaging and encrypting data. Every Internet file that was processed with CryptExe, Exeref, PolyCrypt, and other tools was discovered to be malicious.
  • code mutation: Hackers try to hide their dangerous software by combining a Trojan virus’s code with spam’ instructions — so that the code takes on a different appearance while the Trojan retains its original purpose. On all, or nearly all, occasions when the Trojan is downloaded from an infected website, code mutation occurs in real time. This method was utilised by the Warezov mail worm, which produced some significant epidemics.
  • Stealth Techniques: Rootkit technologies, commonly used by Trojan infections, can intercept and replace system functions, making the infected file invisible to the operating system and antivirus software. The registry branches — where the Trojan is registered — and other system files are sometimes disguised as well. Malicious programmes that employ these techniques include the HacDef backdoor Trojan.
  • Blocking antivirus programs and antivirus database updates: Many Trojan viruses and network worms will actively explore the list of active applications on the victim PC for antivirus products. After that, the infection will attempt to either Block antivirus software, damage antivirus databases or prevent the antivirus software’s update operations from working properly.
  • Masking the code on a website: Antivirus companies will soon discover the addresses of websites containing Trojan virus files, and their virus analysts will examine the content of these sites before adding the new malware to their databases. However, in order to avoid antivirus scanning, a webpage can be updated such that when an antivirus business sends a request, a non-Trojan file is downloaded instead of a Trojan.
  • ‘Quantity’ Attacks: When a large number of new Trojan variants are spread over the Internet in a short period of time, this is known as a Quantity Attack. As a result, antivirus companies are swamped with new samples to investigate. The cybercriminal believes that by analysing each sample, their malicious code will have a better chance of invading consumers’ computers.

Without malicious software removal tools, removing a computer virus or spyware might be tough. After viruses and spyware have been found and deleted, some computer infections and other undesirable applications reinstall themselves. Fortunately, you can help completely remove undesirable software by updating your computer and employing malicious software removal programmes.

  • Blocking antivirus programs and antivirus database updates: Many Trojan viruses and network worms will actively explore the list of active applications on the victim PC for antivirus products. After that, the infection will attempt to either Block antivirus software, damage antivirus databases or prevent the antivirus software’s update operations from working properly.
  • Masking the code on a website: Antivirus companies will soon discover the addresses of websites containing Trojan virus files, and their virus analysts will examine the content of these sites before adding the new malware to their databases. However, in order to avoid antivirus scanning, a webpage can be updated such that when an antivirus business sends a request, a non-Trojan file is downloaded instead of a Trojan.
  • ‘Quantity’ Attacks: When a large number of new Trojan variants are spread over the Internet in a short period of time, this is known as a Quantity Attack. As a result, antivirus companies are swamped with new samples to investigate. The cybercriminal believes that by analysing each sample, their malicious code will have a better chance of invading consumers’ computers.

Without malicious software removal tools, removing a computer virus or spyware might be tough. After viruses and spyware have been found and deleted, some computer infections and other undesirable applications reinstall themselves. Fortunately, you can help completely remove undesirable software by updating your computer and employing malicious software removal programmes.

Here are some tips that can help protect you from downloading software that you don’t want:

  • Only download programs from sites that you trust. If you’re not sure whether to trust a program that you want to download, enter the name of the program into your favorite search engine to see whether anyone else has reported that it contains spyware.
  • Read all security warnings, license agreements, and privacy statements that are associated with any software that you download.
  • Never click “Agree” or “OK” to close a window that you suspect might be spyware. Instead, click the red “x” in the corner of the window or press Alt + F4 on your keyboard to close a window.
  • Be wary of popular “free” music and movie file-sharing programs, and make sure that you understand all the software packaged with those programs.
  • Use a standard user account instead of an administrator account. An administrator account can access anything on the system, and any malware run with an administrator account can use the administrator permissions to potentially infect or damage any files on the system.

--

--

Amol Rangari
Amol Rangari

Written by Amol Rangari

I am Cyber Security Expert, Security Researcher and bug hunter

Responses (2)