Security

Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

By John Leyden

17 SHARE

Malware writers are widely abusing stolen digital code-signing certificates, according to new research.

Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet attack against Iranian nuclear processing facilities or the recent CCleaner-tainted downloads infection.

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. "Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors," Tudor Dumitras, one of the researchers, told El Reg.

"Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service."

Malware creators may not even need to control a code-signing certificate. The Maryland Cybersecurity Centre team found that simply copying an authenticode signature from a legitimate file to a known malware sample — which results in an invalid signature — can cause antivirus products to stop detecting it.

"This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild," Dumitras said.

A paper on the topic, Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI (PDF), is due to be presented at the CCS conference in Dallas, TX, on Wednesday. The researchers plan to release a list of the abusive certificates at signedmalware.org.

A separate study by the Cyber Security Research Institute (CSRI), out this week, uncovered code-signing certificates readily available for purchase on the dark web for up to $1,200 (£902).

Code-signing certificates are used to verify the authenticity and integrity of computer applications and software. Cyber criminals can take advantage of compromised code-signing certificates to install malware on enterprise networks and consumer devices.

"We've known for a number of years that cyber criminals actively seek code-signing certificates to distribute malware through computers," said Peter Warren, chairman of the CSRI. "The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates."

Code-signing certificates can be sold many times over, according to Venafi, a security firm that specialises in the protection of machine to machine identity protection. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Kaspersky fixing serious certificate slip

Updated Security smashed for 400 MEEELLION users

Let's Encrypt updates certificate automation, adds splats

ACME v2 and Wildcard Certificates now live

'No questions asked' Windows code cert slingers 'fuel trade' in digitally signed malware

Oh it's for a calculator app? OK, wink wink, say no more

Apple blocks comms-snooping malware

Leaked developer certificate revoked, protection updated

Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

OK, OK, well the 2.27 million victims were not Reg readers

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Microsoft Dynamics 365 sandbox leaked TLS certificate's private parts

Hey Redmond, is this your secret key?

Beware the looming Google Chrome HTTPS certificate apocalypse!

Well, melee. Dust-up? Minor inconvenience? But it's coming!!

Kaspersky iOS browser vuln