report of digital signature attack: the security crisis of destroying the "credit system" of software identity

Posted by santillano at 2020-03-04


Recently, 360 company's core security business unit found that malicious attacks using software digital signatures are active all over the world, and the targets of hackers involve software developers, individual users and important governments, enterprises and institutions; the forms of attacks are various, including stealing and counterfeiting the legitimate digital signatures of software developers and large-scale targeted attacks of popular software poisoning.

In these attacks, the primary target of hackers is software developers, who carry out various forms of attacks around the digital signature of software, such as embedding malicious code in the installation package of legal digital signature software released by enterprises, users download official regular software from regular channels and initiatively recruit; stealing and counterfeiting enterprise digital signature to mass produce "legal" Trojans to avoid killing Check and kill poisonous software, etc. The malicious attack of using software digital signature is becoming more and more serious. This kind of attack is more threatening than the conventional trojan virus. It is very difficult for the majority of users to distinguish it, and it is also easy to be released by the security software without strict detection mechanism, which seriously endangers the network security.

Introduction to software signature security

"Digital signature" means an electronic security mark that can be added to a document. Use it to verify the publisher of the file and help verify that the file has changed since it was digitally signed. If a file does not have a valid digital signature, there is no way to ensure that the file is actually from the source it claims to be from, or that it has not been tampered with since it was published. For example, the built-in UAC (user account control) function in Windows system requires the user to provide permission for interactive confirmation before performing operations that may affect the operation of the computer or changing settings that affect other users. The publisher of the program is displayed in the security prompt when opening the file for the user's reference.

If there is no software digitally signed program, UAC will show that the publisher is unknown, and the interactive prompt box is yellow, which prompts the user that the program cannot verify the publisher, and there is a security risk in running.

Figure 1

The interactive prompt box containing the normal digital signature is blue, which will mark the verified publisher and prompt the user to run safely if the publisher is trusted.

Figure 2

A formal program that has been digitally signed can be viewed in the properties of the program file for user identification and confirmation.

Figure 3

Analysis of the attack forms of popular digital signature

Due to the identity and integrity of the verification file of digital signature security, digital signature has naturally become the "ID card" of all kinds of formal software. Based on the trust relationship between the regular manufacturer and the user, as well as the trust relationship between the manufacturer and the manufacturer, most of the security manufacturers default to trust the programs with digital signature and formal identity. Hackers attack this trust relationship. They will attack the release process of legal software, implant malicious code in legal signature packages by using various negligence or loopholes, and even directly steal and falsely use the digital signature of legal software developers, so as to bypass the inspection of security products for illegal attacks, and attack the trust relationship between manufacturers and users, It also damages the reputation of software developers, but also brings some obstacles to the killing of security software. At present, such attacks are becoming more and more fierce, mainly divided into the following three forms.

Attack form of software supply chain

The main form of this kind of attack is to plant malicious code in the manufacturer's regular signature package. For example, recently, nscock2.dll, a key network communication component of netsarang series of software, was implanted with malicious code. When the manufacturer released the software, it did not find the malicious code, and the infected component was marked with a legal digital signature, which was released with the new version of the software package. Because the software was written by the programmer And network operation and maintenance managers are widely used, which leads to a large-scale targeted attack event that users of the software "actively" recruit.

Figure 4

Nssock2.dll file with malicious code is digitally signed by netsarang company on July 13, 2017, as shown in the figure below:

Figure 5

Attack form of stealing signature

Hackers may steal the manufacturer's digital signature to sign and issue Trojans directly, or exploit the security vulnerability of signed programs to launch attacks. For example, recently emerged malignant virus "kuzzle", which uses various technical means to avoid the killing of security software, directly embezzles the digital signature of a company to sign and issue virus, and also uses the signed and issued digital signature of a security manufacturer to drive the loading of execution code. The virus will infect the master boot record (MBR) and volume boot record (VBR) of the user's computer and hijack it Browser home page for profit, at the same time to accept the virus author's remote instructions for other sabotage activities.

The normal signature driven by malicious use is shown in the figure below:

Figure 6

Figure 7

Using signature to attack

Hackers use the identity information of well-known companies to apply for the digital signature of well-known companies abroad to sign and issue malicious programs. This kind of attack makes software manufacturers lie down innocently. Recently, the core security white list analysis team of 360 group found that hackers applied for corresponding company digital certificates in overseas certification authorities by forging the information of well-known companies, which were used to issue a large number of malicious private servers and Trojans, and many well-known companies lay down their guns. The malicious program signed by the fake signature is shown in the figure below:


Figure 8

Analysis of the influence surface of digital signature attack

Hackers attack software digital signature, not only successfully launched attacks on users, but also damage the reputation of manufacturers. Based on the trust of software manufacturers, users actively download and update software, and the attacks are widely spread; at the same time, the Trojan virus with "ID card" is issued, because the trust relationship is not easy to be killed by security software in a short time.

The following is the sample statistics of user activity of the xshell back door. The actual data is expected to be 5 times larger than the sample data. Tens of thousands of victims are actively using the xshell back door every day.

Figure 9

In the same period, the signatures of some regular companies were used to issue other malicious programs. The timeline has spanned since the beginning of this year, and the reputation of some companies has been seriously damaged.

Figure 10

According to 360 big data monitoring statistics, this year, there are about 400 newly used samples and 350000 new infections. The following figure shows the geographical distribution of victims before August 2017, with Zhejiang, Liaoning and Guangdong as the coastal areas, and Sichuan and Hunan as the inland areas.

Figure 11

Analysis of typical cases of digital signature attack

Analysis of xshellghost Technology

Recently, the server remote management software such as xmanager, xshell, xftp and xlpd, which are widely used in the world, has been reported to be killed by multiple antivirus software. After investigation and analysis by the Japanese tracing team of 360 group, it is confirmed that the key modules of several software under netsarang have been implanted into the advanced back door, which is a large-scale attack event that invades and infects the supply chain software They named it "xshell ghost.". The program is a precise targeted attack platform, all the functional modules are implemented in the form of shellcode. Through infecting the supply chain software and each shellcode module, the client-side attack realizes remote control without self starting items, landing files and various communication protocols. The back door lurks in the victim's computer waiting for the hacker to send shellcode data under the cloud control platform for execution. The hacker The cloud may even conduct selective targeted attacks through uploaded user information.

Analysis of remote control steps

The remote control of xshellghost is mainly divided into five steps:

1. Xshell and other software start to load the infected component nssock2.dll and decrypt shellcode1 for execution.

2. Shellcode1 decrypts shellcode2 to perform the following functions:

a) Create a registry key and report the data to the corresponding DGA domain name every month;

b) Upload user information to the attacker by sending it to the well-known domain name parser;

c) Write the received data into the created registry key;

d) Decrypt shellcode 3 through the obtained key1 and key2 and execute;

3. Shellcode 3 will create a log file and write information, start the system process svchost.exe, modify the code at its OEP, and inject the root module in the form of shellcode for execution.

4. the initialization process of Root module will load and initialize functional modules such as Plugins, Config, Install, Online and DNS, and then call function Install->InstallByCfg to get configuration information, monitor registry and create global mutex and invoke Online-> InitNet;

5. The function online - > initnet will initialize the network related resources according to its configuration, send information to the specified service address, and wait for the cloud to dynamically send the code for the next attack.

Figure 12

Function module analysis of rear door

In this attack, all modules are scheduled and loaded in the form of shellcode, which adopts a modular method for unified management. The back door is mainly divided into five modules: root, plugins, config, install and online.

Analysis of network communication module

The network communication management module (online) is the key module of this attack. In this attack event, we have found the DNS module. Although several other network modules (TCP, HTTP, UDP, HTTPS, SSL) are reflected in the code, they have not been actively run in shellcode. The function interfaces and functions of each network module are shown in the table below:

The function expansion and operation of each network module depend on the function interface list provided by online module:

Initnet calls function a every 1 second after reading the network agent configuration. If function a returns 20000, the function is completely finished. Function a logic:

Figure 13

Function B logic, which is used to wait for code execution from the cloud:

Figure 14

The known communication module used in this attack is the DNS module. The back door communicates based on DNS tunneling technology:

There are three types of packets sent by this module:

1. Initialize the packet, with the size of 0 × 18

Figure 15

2. Data packet, size 0 × 8+

Figure 16

3. Close the packet, size 0 × 8

Figure 17

Its sending function is as follows:

Figure 18

Figure 19

Figure 20

When the function No.2 of the DNS module is called to return the custom object, it calls getadapteraddresses to get the DNS of the adapter

Figure 21

Collect 0 × 10 DNS at most. Then, when calling function 3 of the module, it uses the collected DNS, merges 4 DNS addresses in the config file, circulates to each DNS to send a query until any returned data or timeout occurs, and records the first returned DNS packet. When it is sent again later, it will only send the first returned DNS packet According to.

Figure 22

Figure 23

When sending packets, the data will be nested in the DNS protocol, where the data will be encoded into a specific string and added to the CC DNS URL in the profile to realize DNS tunnel communication.

Figure 24

Typical cases of signature stealing attack and white use attack

The official main program of the brush wizard is used to pretend to be "photo. Exe". It will load a fake shuamemanager.dll through QQ propagation.

Figure 25

The forged shuamemanager.dll embezzles the digital signature of "Beijing Financial Union Financial Information Technology Co., Ltd.":

Figure 26

The fake shuamenager.dll has the same export function "startshume" as the official shuameager.dll of the brush wizard for the main program

Figure 27

In fact, the real malicious code is started when shuamemanager.dll is loaded, and sensitive API calls are hidden by splicing strings to directly create a worker thread:

Figure 28

The task of the worker thread is to decrypt an encrypted file "coonfig. Dat", decrypt a DLL file from memory, and then load it:

Figure 29

The algorithm of decryption is simple addition and exclusive or operation. The initial key is 9:

Figure 30

After 9 times of decryption, the coonfig.dat file decrypts a DLL in memory, and then the worker thread is ready to load and call its export function "initmyentry":

Figure 31

First, determine whether the decrypted file format meets the conditions. If it meets the PE format, analyze and allocate the memory of corresponding size for loading:

Figure 32

Then, the parsing principle of the PE format is analyzed and loaded, and then the entrance point function of DLL is called to initialize.

Figure 33

After the decrypted DLL is loaded and initialized, find the address of its export function "initmyentry" and jump to execute directly:

Figure 34

After analysis, we can see that shuameanager.dll is actually a memory loader of encryption program, which uses a series of countermeasures to avoid killing. The specific malicious activities depend on the program decrypted by coonfig.dat. One of the functions of the coonfig.dat matched with shuamemanager.dll is to call a third-party tool nircmd.exe to add startup items. The command parameters are:

Figure 35

The launched target program elantech.exe is just a file name disguised as "touchpad". In fact, it is a program similar to the "brush Wizard" used above. Elantech.exe mainly has two types, one of which is the official program of YY game:

Figure 36

The malicious DLL that YY's program is used to load is "videosdk. DLL", "videosdk. DLL" and forged shuamemanager.dll adopt the same decryption key and loader framework, and also have the stolen digital signature of "Beijing Financial Union Financial Information Technology Co., Ltd." finally, they all load the initmyentry function exported by coonfig.dat to carry out malicious activities. Another kind of elantech.exe program is an upgrade program of Korean anti-virus software "doctor an". This program is used to load DLL named "ahnupctl. DLL". Its function and technique are similar to the above, so it will not be discussed here.

2017 signature fake attack tracking

Fraudulent use

We have analyzed and disclosed the utilization method 360 of signature forgery many times. Here is a brief explanation. The following figure shows the comparison between the official normal digital signature and the fake digital signature. Both of them show that the digital signature is normal and the signature subject is "Shanghai * * Software Co., Ltd.". The left picture is the official program signature of the company, while the right picture is a fake digital signature. It is a fake signature author who forges the digital certificate applied by the company's information issuing agency "Go Daddy" abroad.

Figure 37

So far, the discovered fake signatures are mainly applied for by two foreign issuing agencies, namely "Go Daddy" and "startfield". Eight new fake signatures this year are as follows, each of which corresponds to several digital certificates, and some of them have been directly revoked by the issuer:

Figure 38

Sample analysis

The following mainly analyzes the hijacking class private server program with fake signature. Due to the propagation limitation of other malicious programs, we will not analyze it.

(1) Process framework

There are many kinds of hijacking programs with fake signatures intercepted by 360, and the hijacking components often change, but the overall functional framework is relatively unchanged. The whole running process of the sample is as follows. Some program modules use random file names on the player's computer. The note name in the figure (such as [msvcs. DLL]) is the module name corresponding to the private server.

Figure 39

From the previous flow chart, this module mainly carries out two hijacking processes, the first is the upper part of the flow chart, the mother is dnetsup.dll, and finally hijack through the installation of file filter driver, followed by the lower part of the flow chart, the mother is drvsup.dll, and finally hijack through the installation of TDI filter driver.

(2) File filtering process hijacking DNS

First, the file filtering process is based on the operating environment of dotnet (. Net), so dnetsup.dll first judges and installs the dotnet environment, and then obtains the program running opportunity by registering the general class library. Once the registration is successful, every time the user starts the browser, the browser process will be "injected" into the hijacking module (donetset2 / 4), so as to execute the program code. Through our behavior monitoring tool, we can see that there are two additional subprocesses under the process tree of IE browser, which are actually created by the hijacking module donetset2.dll injected into it (see below):

Figure 40

When the working routine of the component starts running, the file filter driver is installed or started, and a hosts list is saved to the dida.mid file to carry out the local DNS hijacking. It is seen that the browser's process tree is to download the hijacking list file and invoke the ipconfig command of CMD to carry out DNS cache refresh.

Figure 41

The format of the downloaded list is the same as that of the system hosts file. It is mainly used to hijack the security software and DNS requests of competitors:

Figure 42

The driver installed in this module is released from the resource. Dhelperkit.dll is responsible for the communication operation with the file filter driver. The driver comes from a product called "callbackfiler" of Eldos company. The product is actually a library that provides file system filtering function for developers:

Figure 43

Dhelperkit.dll is responsible for controlling the driver library to complete the hijacking function. The export function "kitstartcbltfs" of the module uses the API provided by "callbackfiler" to operate the file filtering driver cbfltfs3.sys, and hijacks DNS with its filtering function to the file system. The specific implementation is to add a file name (path) re parsing callback function, set the requested target file name (path) as the path of the local hosts file, and redirect to a new control path (path of the dida.mid file) when the system process accesses the file path:

Figure 44

When the dida.mid list file is downloaded again, the DNS cache will be called after the command is refreshed. At this point, the process responsible for network services will brush the new hosts list into the local DNS cache, and the programs such as security software or competition private server will first query the DNS cache on the Internet. It is found that the relevant records in the cache list will cause the domain name resolution to be redirected, thus shielding or hijacking the svchost network. Function. At this time, checking the hosts file of the system will not see any exceptions. However, the command Ping can verify that DNS has been hijacked:

Figure 45

Since the target domain name is hijacked and redirected to a local ring back address (, the network request for hijacked domain name (IP * * 360safe. Com) is blocked, so as to interfere with the normal networking of security software. Of course, the domain names to be hijacked are controlled by the cloud allocation, and the hijacking list can be changed at any time. For example, the following is a group of hijacked well-known game websites, all hijacked to a fixed IP address (139. * * *. 246.167):

Figure 46

(3) TDI filtering process hijacking network traffic

Next, analyze the TDI filtering process, and finally realize the network traffic by driving hijacking users. The parent drvsup.dll judges the system environment through iswow64process, and chooses to download the x64 or x86 TDI driver and save it locally as mstd32.sys:

Figure 47

After downloading, start the driver directly in the normal way of starting the service:

Figure 48

Once the driver is loaded, the subsequent processes are all completed independently by the driver, without any other interaction with the application layer program. Every time the driver starts, download a hijacking list tdipaddr.dll to memory, and parse it into the linked list for later hijacking filtering:

Figure 49

The downloaded list often changes, and there are many different dissemination versions at the same time, hijacking different types of well-known websites, as follows is one of the intercepted versions, including a large number of well-known game company websites, which are hijacked to a server IP of a search engine (14. * * 38):

Figure 50

Later, when filtering IO requests, this list will be used to match the hosts accessed by the current network:

Figure 51

All network IO requests that meet the filtering rules will be marked. After the corresponding request response, the received data will be modified, 301 redirection response header will be added or HTML framework will be embedded to realize hijacking, and finally the modified content will be returned to the application layer program (such as browser) of the request networking for processing:

Figure 52

For example, when we normally visit the official website of Shanda game through the browser, it is as follows:

Figure 53

However, after driving hijacking to visit Shanda game website, a jump will occur, hijacking it to a search engine (or other address, controlled according to the cloud list), preventing users from visiting the game website normally. From the packet capturing tool of 360 browser, we can see that the hijacking method is to embed an HTML framework pointing to the address of search engine:

Figure 54

When debugging the hijacking process, you can also observe the filtering process of driver hijacking when visiting Shanda game website:

Figure 55

Finally, we find that the driver registers a shutdown callback, changes the name of the driver file when the system shuts down, rewrites the driver file to increase its concealment. The path of the driver is shown in the figure below. You can see that the file name is 8 random letters:

Figure 56

After rewriting the driver file, the new driver path is registered as a boot-up service to ensure that the hijacking activity on the user's computer can continue.

Figure 57

Summary and safety recommendations

Since the beginning of 2017, hackers have made Trojans with "ID card" by stealing the digital signature of regular companies, and systematically and premeditedly intruded into the software release process of manufacturer's pollution. Finally, they even use social engineering to disguise the identity of manufacturer and use digital signature to attack the digital signature of software. There are many software manufacturers and many software with good reputation Users have become the main target of hackers.

The digital signature of the software developer belongs to the "ID card" of the software itself. If the software identity is used maliciously, it will bring bad influence to the business reputation of the company, and at the same time, it will destroy the trusted identity of the manufacturer in the software security system, so that both the security manufacturer and the user no longer trust their software identity, and the software manufacturer will lose a lot of users. Therefore, software manufacturers have the obligation to protect their own digital signature. If they find that the digital signature is attacked, they should timely announce the disposal of users and take effective measures to reduce the loss of users.

In addition, netizens should also realize that digital signature is only a way to identify software identity, and software with digital signature does not represent absolute security. For software with "identity", it is still necessary to be vigilant, and use security software with strict and reliable detection mechanism to prevent malicious attacks.

* Author: 360 security guard; reprint from