UGOTAG | Videos with Chapter Markers  
  
× ANCIENT WORLD ANIMALS AQUARIUM ARCHERY ARCHITECTURE ART ARTIFICIAL INTELLIGENCE AUDIO BOOKS AVIATION BABY BEAUTY BIG THOUGHTS BIKING BIOLOGY BIRDS BLOCKCHAIN BUSINESS AUTOMOTIVE CATS CHRISTMAS COLD WAR COMPUTER SECURITY CRAFTS CRIME STORIES CRYPTOCURRENCY CSGO DIGITAL COMBAT SIMULATOR DINOSAUR DOGS EASTER ECONOMICS ELECTRONICS ENGINEERING ENVIRONMENT FAR CRY 5 FARMING FASHION FISHING FITNESS FOOD & DRINK FORTNITE BATTLE ROYALE FREEDOM OF SPEECH FUNNY GAMBLING GAMING GARDENING GEOPOLITICS GOD OF WAR GUITAR GUNS HALLOWEEN HARRY POTTER HEALTH & WELLNESS HISTORY YOUR HOME HOME REPAIR HOMEBREW INSECTS INTERESTING KIDS KITCHEN KNITTING LAWNCARE LEGO LIQUOR LOCKSPORT MARKETING MARTIAL ARTS MATH MENS STYLE MINECRAFT MOBILE DEVICES MOTORBIKES MOVIES MULTIPLICATION MUSIC MYSTERY NEUROSCIENCE OLYMPICS ORGANIZATION OUTDOORS PETS PHILOSOPHY PHOTOGRAPHY PHYSICS PI DAY POLITICS POTTERY PRIVACY PROGRAMMING PSYCHOLOGY RECIPE RED DEAD REDEMPTION RELAXING RELIGION REMOTE CONTROL ROCKCLIMBING SCI FI SCI FY SCIENCE SHOOTING SPORTS SKATEBOARDING SPECIAL FORCES SPEECHES SPORTS STAR WARS STEM STPATRICKS STYLE TECHNOLOGY THANKSGIVING TOYS TRAVEL TV VALENTINE'S DAY WAR WEDDING WOODWORKING WW1 WORLD WAR 2
HOME  |  TECHNOLOGY  |  HEALTH  |  FOOD  |  MORE

Episode Markers
  • 03:10
     
    #layout of an internally signed Portable Executable(PE)   
    Overview of the layout of an internally signed Portable Executable(PE) file including Attribute Certificate Table(ACT).
  • 04:33
     
    #entire file except for three fields used in signing   
    Windows calculates the hash of the entire file except for three fields used in signing; Checksum, IMAGE_DIRECTORY_ENTRY_SECURITY(security directory), and the Attribute Certificate Table.
  • 04:50
     
    #data can be appended to the ACT without altering the signature   
    Additional data can be appended to the ACT without altering the signature of the file.
  • 05:03
     
    #malicious payload PE being appended to the ACT   
    Diagram of malicious payload PE being appended to the ACT. The size in the ACT, and in the security directory must be altered accordingly, but neither of these are signed.
  • 12:19
     
    #How the code from the ACT is executed   
    How the code from the ACT is executed by the reflective loader.
  • 19:00
     
    #attack can be prevented by parsing the ACT as a WIN_CERTIFICATE   
    This attack can be prevented by parsing the ACT as a WIN_CERTIFICATE validating the PKCS &35;7 and X.509 to check for additional data.
  • 19:42
     
    #Demo using the Hydracrypt ransomware   
    Demo using the Hydracrypt ransomware from within a signed Microsoft Office file.
  • 24:29
     
    #DeepInstinct claims that the detection is based on Deep Learning   
    DeepInstinct claims that the detection is based on Deep Learning and not a feature-based detection.

Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable

by Tom Nipravsky Malware developers are constantly looking for new ways to evade the detection and prevention capabilities of security solutions. In recent years, we have seen many different tools, such as packers and new encryption techniques, help malware reach this goal of hiding the malicious code. If the security solution cannot unpack the compressed or encrypted malicious content (or at least unpack it dynamically), then the security solution will not be able to identify that it is facing malware. To further complicate the matter, we present a new technique for hiding malware (encrypted and unencrypted) inside a digitally signed file (while still keeping the file with a valid certificate) and executing it from the memory, using a benign executable (which acts as a reflective EXE loader, written from scratch). Our research demonstrates our Certificate Bypass tool and the Reflective EXE Loader. During the presentation, we will focus on the research we conducted on the PE file st






Community tags: computer_security     HOME     SIGN UP     CONTACT US