Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

By John Leyden


Malware writers are widely abusing stolen digital code-signing certificates, according to new research.

Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet attack against Iranian nuclear processing facilities or the recent CCleaner-tainted downloads infection.

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. "Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors," Tudor Dumitras, one of the researchers, told El Reg.

"Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service."

Malware creators may not even need to control a code-signing certificate. The Maryland Cybersecurity Centre team found that simply copying an authenticode signature from a legitimate file to a known malware sample — which results in an invalid signature — can cause antivirus products to stop detecting it.

"This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild," Dumitras said.

A paper on the topic, Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI (PDF), is due to be presented at the CCS conference in Dallas, TX, on Wednesday. The researchers plan to release a list of the abusive certificates at

A separate study by the Cyber Security Research Institute (CSRI), out this week, uncovered code-signing certificates readily available for purchase on the dark web for up to $1,200 (£902).

Code-signing certificates are used to verify the authenticity and integrity of computer applications and software. Cyber criminals can take advantage of compromised code-signing certificates to install malware on enterprise networks and consumer devices.

"We've known for a number of years that cyber criminals actively seek code-signing certificates to distribute malware through computers," said Peter Warren, chairman of the CSRI. "The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates."

Code-signing certificates can be sold many times over, according to Venafi, a security firm that specialises in the protection of machine to machine identity protection. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Kaspersky Lab loses the privilege of giving Twitter ad money

Twitter's loss is the EFF's gain

Sir, you've been using Kaspersky Lab antivirus. Please come with us, sir

US govt bans agencies from using Russian outfit's wares

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder

Kaspersky Lab's move from Russia to Switzerland fails to save it from Dutch oven

Netherlands turns up the heat as transparency plans unveiled

'We've nothing to hide': Kaspersky Lab offers to open up source code

Response to US fretting over alleged ties to Russian snoops

Brit bank Barclays' Kaspersky Lab diss: It's cyber balkanisation, hiss infosec bods

Analysis It's 2017: Is the splinternet nearer than ever?

Another US government committee takes aim at Kaspersky Lab

Worries about 'espionage, sabotage, or other nefarious activities' cough - NSA! - cough

It's 'nyet' again, yet again, for Kaspersky: Appeal against US govt ban snubbed by Washington DC court

Appeals judges shoot down Russian vendor's plea

Pain in the brain! Kaspersky warns of hackable brain implants

That furious clicking you hear is Charlie Brooker frantically writing his next script