Signed Malware AV Detection

TL;DR

Signed malware can bypass traditional antivirus (AV) detection because it appears legitimate. This guide explains how to improve detection rates by focusing on behaviour, reputation checks, and advanced analysis techniques.

Improving AV Detection of Signed Malware

1. Understand the Problem: Signed malware uses valid digital signatures from trusted authorities. AV often trusts these signatures, allowing the file to run without scrutiny. The signature doesn’t guarantee the *content* is safe, only that it hasn’t been tampered with since signing.
2. Behavioural Analysis: This is your strongest defence.
   • Monitor System Calls: Track what the signed file actually does. Does it create suspicious processes? Modify critical system files? Access sensitive data?
   • Sandboxing: Run the file in a safe, isolated environment (sandbox) to observe its behaviour without risking your main system. Many commercial AV solutions include sandboxing features.
3. Reputation Checks: Even with a valid signature, check the reputation of the file and publisher.
   • Threat Intelligence Feeds: Subscribe to reputable threat intelligence feeds that provide information on known malicious files and publishers.
   • File Hash Lookups: Check if the file’s hash (a unique fingerprint) is associated with any known malware using services like VirusTotal (https://www.virustotal.com).

     curl -X POST 'https://www.virustotal.com/api/v3/files' -F file=@"your_malware_file.exe"

   • Publisher Reputation: Investigate the signing certificate issuer. Is it a legitimate authority? Have they been compromised before?
4. Advanced Static Analysis (for deeper investigation):
   • Disassembly: Use tools like IDA Pro or Ghidra to disassemble the file and examine its code. This requires significant expertise.
   • String Extraction: Extract strings from the file. Suspicious strings (e.g., URLs, registry keys) can indicate malicious intent.

     strings your_malware_file.exe | grep suspicious_keyword

5. YARA Rules: Create YARA rules to identify specific patterns in the malware's code or data.
   • Rule Example (very basic):

     rule signed_malware { meta: description = "Detects a simple pattern in signed malware" strings: $string1 = "suspicious function call" condition: all of them }

6. Certificate Pinning/Validation Checks: Ensure the certificate is valid and hasn't been revoked.
   • Check Certificate Chain: Verify that the entire certificate chain is trusted.
   • Revocation Lists (CRL): Check if the certificate has been revoked by the issuing authority.
7. Machine Learning Models: Train machine learning models to identify malicious behaviour patterns.
   • Feature Engineering: Extract relevant features from files (e.g., API calls, imports, sections).
   • Training Data: Use a large dataset of both benign and malicious samples to train the model.
8. Regular Updates: Keep your AV software, threat intelligence feeds, and YARA rules up-to-date.