Malware researchers from AVAST Software have come across an older digitally signed Norton Antivirus component, which despite having been infected by a known virus is not detected by most anti-malware programs.
The AVAST analysts suspected a false positive when a file carrying a valid Symantec digital signature triggered detection under a generic signature called Win32:Injected-AZ.
The file in question is called LuComServer.exe (Live Update Communication Server) and is the update component in older Symantec products like Norton Antivirus, Symantec Internet Security and others.
Upon closer inspection it was determined that the sample dates back to 2002 and shows signs of tampering by a file infector called Win32.Foroux.a.
Microsoft first implemented its digital code signing system called Authenticode in Windows NT in order to help people determine a file's origin and authenticity.
However, it wasn't until Vista and UAC that the practice took off and started being adopted by more developers, in addition to the major software companies.
AVAST's CTO Ondrej Vlcek told us in a recent interview
that Authenticode helped the AV industry a lot, because it allowed vendors to use the digital signatures for whitelisting.
For example, a rule could tell the antivirus that if a file carries a digital signature from Microsoft, then it is most likely clean and should be skipped during scanning.
It's worth noting that a digital signature becomes invalid if an unauthorized party makes modifications to the file carrying it.
But, in the case of the infected LuComServer.exe discovered by AVAST the digital signature still validates.
"This implies that the binary was injected before the signature was added. A wild, sci-fi scenario is that there was a certificate leak similar to the Stuxnet
[link added] case, but I seriously doubt it
," Michal Krejdl, a virus researcher with the Czech antivirus vendor, says
"I tend to believe a scenario where this binary has been passed through the signing and releasing process due to a human error
," he adds.
And even though a manual analysis shows clear signs of Foroux injection, when scanning the file on VirusTotal, no other antivirus except avast! picks it up.
It's hard to believe that none of the 42 products available on the online service don't have a generic signature able to detect the rogue code, which leaves just one explanation – they're fouled by that valid Symantec signature.
Leaving lingering questions about Symantec's quality assurance processes aside, due to the age of the file, this whole AV whitelisting deal could become a serious problem if malware authors begin signing their malware.
It has already been demonstrated numerous times that sophisticated trojans like ZeuS, which are capable of stealing files, are able penetrate the defenses of Fortune 500 or 1000 companies and infect computers on their networks without being detected.
A lot of these companies release digitally signed software, which means they have trusted certificates, which malware authors could steal and use to sign their own creations with.
"Fortunately the malcode inside seems to have never been executed, therefore this specific case is not a critical issue. But generally – such unintentional modifications (malicious or not) should not stay under the radar when we want to trust in the safety of properly signed binaries (especially that this injected and signed binary was a part of Symantec security products)
," the AVAST researcher concludes.