'No questions asked' Windows code cert slingers 'fuel trade' in digitally signed malware

Oh it's for a calculator app? OK, wink wink, say no more

Trusted code-signing certificates are being sold to miscreants by allegedly unscrupulous vendors, fueling a growth in digitally signed Windows malware, a study has claimed.

Security researchers at Masaryk University in the Czech Republic, and Maryland Cybersecurity Center (MCC) in the US, identified and monitored four organizations that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a corpus of Windows-targeted malware carrying valid digital signatures.

Having studied this material, the infosec bods concluded that vendors are prepared to sell Authenticode certs to anyone who can afford to pay – no questions asked. These vendors and certificates are trusted by Microsoft and its Windows operating system, so any programs, malicious or otherwise, cryptographically signed using these certs appear more legit than unsigned software.

Signed malware has a greater chance of making it past antivirus scanners and other detection mechanisms, hence why hackers strive to give their malicious code the veneer of respectability with a valid digital signature.

Although a cryptographic signature does not guarantee that software is safe to execute, it helps to establish trust in the program. Consequently, valid signatures help software nasties bypass some malware filters, the MCC-led team explained.

Echoes of Stuxnet

One well-known signed malware example is the Stuxnet worm, which was digitally signed using trusted keys stolen from two Taiwanese semiconductor companies. But the tactic is far from the preserve of high-end nuke-fuel-plant-knackering cyber-weapons like Stuxnet these days, and it crops up in even run-of-the-mill adware.

The need to bypass platform protections such as Microsoft Defender SmartScreen is driving the demand for Authenticode certificates, according to the MCC team.

Hackers are increasingly prepared to pay for code-signing certs rather than stealing these digital credentials, which is a potentially tricky process. Five certificates used to sign malware samples found by MCC had "likely been purchased" from one of the four grey market vendors it was tracking.

“Our evidence suggests that the demand is growing and that the vendors are able to obtain more certificates to respond to this demand,” Tudor Dumitras, one of the researchers and an assistant professor at the University of Maryland, told El Reg.

“The market demonstrates a degree of confidence in the reliability of the certificate supply, especially within a tightly interconnected market segment that accounts for most of the signed malware.

“Unlike in the past, the certificates from signed malware appear to be primarily obtained directly from [certificate authorities], rather than compromised.”

android

(Cryptographically) sign me up! Android to take bad app checks offline

READ MORE

The same team published a study last year detailing how miscreants abused digital certs to smuggle malware past security scanners. This followup study aims to quantify the extent of this abuse as well as sketching out the market behind it.

Flogging digital certificates from the back of a van, figuratively speaking, can be quite lucrative, the researchers found. One of the four apparently dodgy e-credential vendors tracked by the MCC team, for example, was “selling more than 10 certificates per month" netting a "total of $16,150 in revenue” over a period of roughly three months starting from August 2017 from one code-signing cert online shop.

The four allegedly shady e-credential slingers were fingered up after the researchers inspected 28 forums, six link directory websites, four general marketplaces, and dozens of websites trading black market goods.

The research Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates was presented at the Workshop on the Economics of Information Security (WEIS) earlier this month. The paper is available here. The same researchers also released a list of potentially wonky certificates on signedmalware.org. ®




Biting the hand that feeds IT © 1998–2018