Signed Malware: using digital certificates to circumvent malware checks

Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures. It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape. In particular, the methods, effectiveness window, and security implications of code-signing PKI abuse are not well understood. We propose a threat model that highlights three types of weaknesses in the code-signing PKI.

Source: Signed Malware

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg.

“Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service.”
Hackers abusing digital certs smuggle malware past security scanners – the Register

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com

Leave a Reply