ADVERTISEMENT

Last Call for Spring Giveaway: Get $78.90 VideoProc Converter for Free Experience GPU-accelerated video processing like never before with VideoProc Converter – the ultimate all-in-one solution that can handle it all! Convert videos/audios/DVDs to 420+formats to enjoy media on-the-go Seamlessly compress large videos from GB to MB to free up storage space Bulk download 4K/HD videos from 1000+ UGC sites to watch offline Cut, merge, crop, rotate and edit videos with the built-in Toolbox Record screen and webcam with sound for added convenience This offer is time-limited, so obtain your free license of VideoProc Converter for PC and Mac as soon as possible to benefit from all its incredible features

PUBLIC DEFENDER

By Brian Livingston

A Registry tweak recommended by Microsoft to guard against malware in digitally signed files is wiped out in Windows 10 if you upgrade to Windows 11. As if that weren’t bad enough, at least one major software company has distributed to 600,000 customers worldwide a Trojan horse hidden in an executable file that’s certified by Microsoft’s very own digital signature.

The fact that malware can be inserted into an executable file — without invalidating the file’s digital signature — casts doubt on the whole idea that you can trust digitally signed files.

Figure 1. (Left) Without the Registry tweak, a hacked DLL shows in its Properties dialog box a valid digital signature from the Microsoft Corporation. (Right) With the tweak, the dialog box shows that the hacked DLL has no Digital Signatures tab, indicating that the file has been altered. However, the tweak does not provide true security, as explained below. Source: BleepingComputer, orange callouts by author

As shown in Figure 1, one of the hacked files that was widely distributed, d3dcompiler_47.dll, appears in its Properties dialog box to have a legitimate digital signature from Microsoft. But if you add two short keys to the Registry in Windows 10 or 11, the Properties dialog box shows no Digital Signatures tab at all, indicating that the file’s original content has been altered.

Making the Registry change doesn’t actually protect you from hacked files that appear to have valid digital signatures. For one thing, the Registry tweak doesn’t prevent you from downloading and running a maliciously altered file, infecting your device. You would receive no warning.

I’ll show you the real problem and how to protect yourself from it.

There’s an underlying stupidity here: Digitally signed executable files contain data areas that are ignored by Microsoft’s Authenticode verification scheme. These areas are supposed to contain the digital signature itself, followed by zeros. But instead of zeros, bad people can place within the so-called WIN_CERTIFICATE data structure any number of malware instructions. This is called Authenticode stuffing.

Way back in December 2013, Microsoft itself recognized how serious this hack could be. In that year’s Security Advisory 2915720, the company introduced a fix and notified the software industry that the firm would soon make the change mandatory:

When enabled, the new behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed. Note that Microsoft may make this a default behavior in a future release of Microsoft Windows.

Microsoft announced in the advisory that stricter Authenticode verification would become the default in Windows nine months later on August 12, 2014. However, Microsoft lost its nerve and amended its advisory in July 2014, before the change went into effect. The new advice was that the strict behavior would never become mandatory in Windows, because too many software developers were writing data into the “ignored” area:

However, as we worked with customers to adapt to this change, we determined that the impact to existing software could be high. Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement.

For instance, the Google Chrome installer for Windows writes into its digital-signature data area whether or not you left a box checked, agreeing that your usage data may be uploaded to a Google server. CERT security analyst Will Dormann explains this in a tweet thread.

Additional examples include the Dropbox installer and various other software products that were developed using Google’s Omaha code project, according to an excellent explanation by Kevin Jones. He’s the developer of Authenticode Lint, a tool to check digital signatures (GitHub).

The Authenticode weakness has been exploited by virus authors many times. But the bits really hit the fan on March 30, 2023, when 3CX, a major provider of VoIP telephone software, announced that hackers had turned two executable files in its Windows and Mac packages into Trojan-horse malware. Because the virus payload was in an area ignored by Authenticode, Microsoft’s digital signature still appeared valid. The Trojan, once loaded, contacted a bot server for instructions (see Figure 2).

Figure 2. In step 1, hackers managed to gain access to 3CX code. In step 2, two Trojanized DLLs were included in 3CX’s software packages. In step 3, the ffmpeg.dll file calls the code in d3dcompiler.dll. Finally, the DLLs connect to the hackers’ server for instructions. Larger version and explanation at Sophos

3CX software is reportedly used by more than 600,000 companies worldwide. Over 12 million people make calls using its VoIP software on a typical day. 3CX’s customers include big names such as Air France, Coca-Cola, IKEA, McDonald’s, Toyota, and the UK National Health Service. Getting rid of the malware — which gave the hackers total control of a device — required 3CX’s customers to uninstall the client software on every individual machine. Yuck.

Fortunately, antivirus companies recognized the strange behaviors coming out of 3CX’s software and started warning users — while blocking the malware.

The National Institute of Standards and Technology (NIST) has documented the threat and given it the identifier CVE-2023-29059. That document links to many antivirus companies whose software immediately halted the Trojan’s suspicious activity, including CrowdStrike, Fortinet, Huntress, and Sophos.

This particular Authenticode-stuffing attack is the work of the Lazarus Group, a state-supported North Korean team, according to numerous experts — including a tweet by Kaspersky malware researcher Georgy Kucherin.

For its part, Microsoft recommends that users employ the Redmond company’s own antivirus software rather than rely on the rather weak Registry tweak. The firm said this month in a statement (Dark Reading):

As a best practice, we encourage customers to apply all the latest security updates for better protection. In addition, Defender for Endpoint and Microsoft Defender antivirus can detect and block the domains and files involved with this threat.

Quick action by many antivirus vendors helped to protect users and minimize infections. This included deleting from public servers the file repositories the Trojan had used as well as blocking the domain names the hackers employed for command-and-control purposes.

With the neutralization of the perps’ online resources, there’s little danger that the hackers can now command or control the Trojan to do anything. That leaves you with no reason to add the Registry tweak, since it provides little to no protection from infection. But if you want to experiment, Microsoft specifies the following Registry keys for 64-bit Windows installations:

Follow these steps to add the keys to the Registry:

Be sure to read Microsoft’s Security Advisory 2915720 for details on this procedure. For example, there’s a different file to use on 32-bit systems, and you should be aware that some software installers may fail when stricter Authenticode checking is in effect.

And if you add the Registry tweak to Windows 10, watch out if you upgrade to Windows 11. The new OS silently deletes your addition, and you must remember to apply it again. Sheesh.

	Do you know something that we all should know? Tell me about it! Send your story in confidence to publicdefender@askwoody.com.
	Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new fintech book Muscular Portfolios. Get his free monthly newsletter.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.