Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11:15 AM
Paul Drapeau
Paul Drapeau
Connect Directly
E-Mail vvv

Stop Trusting Signed Malware: 3 Steps

Cybercriminals who manipulate valid signatures and certificates to get malware into an organization is a more common tactic than you think.

There has been no shortage of news about malware bearing valid signatures. Most recently, Cryptowall ransomware was discovered with signing credentials that appear to have been validated by a popular certificate authority. Similarly, news broke a few weeks back that HP’s signing credentials were stolen and used to sign malware.

In theory, code signing allows an end user or enterprise to have confidence that software is produced by an author they trust. Manipulating these systems to get malware into an environment is more common than most people think. Malware authors can steal, purchase, or privately generate signing credentials and associated certificates. Our recent research shows they are frequently doing all three. We’re reminded that whitelisting and application management systems that rely on certificates to establish trust are, at best, insufficient to protect the endpoint.

Researchers at Confer recently examined the signing artifacts of roughly 25,000 malware samples caught in the wild over the last year. In this relatively small sample set, we observed many examples of attackers misusing legitimate or quasi-legitimate credentials.

In one case, a certificate that was issued to a legitimate software company in the United States was used to sign payloads in drive-by exploit kits. We saw this cert in nine different malware samples over the course of several weeks. All of them had valid code signatures.

This may sound surprising but the reuse of certificates in malware is common. We saw the same credentials showing up in hundreds of samples over months. In fact, based on this data set, once compromised, a certificate will be used on over 50 samples and for a period of more than 190 days.

We also saw many samples with “invalid” signatures or certificates issued by private certificate authorities (CAs), often with confusing names. The attacker’s goal is to trick end users into accepting software installs. It seems likely that attackers are generating their own credentials and certificates for this purpose.

Finally, we saw several samples with valid signatures and valid certificate chains that do not appear associated with any legitimate producer of software, indicating that attackers are procuring these certificates through legitimate channels. They are buying legitimate certs from established certificate authorities. This appears to also have been the case with the recent Cryptowall example.

Now what?
There are several things this data tells us and about can we improve security in the enterprise.

Step one: Every CIO, CISO, and engineering manager who’s signing code needs to protect his code signing keys, passphrases, and CA infrastructure by designating someone in the company to be responsible for recommending, implementing, and monitoring effective controls around the keys and signing infrastructure.

These are valuable assets and an extension of a company’s brand. But all too often, they are carelessly maintained, widely distributed, and procured in a decentralized manner. No company wants its name attached to the next devastating piece of ransomware. If you are developing code, stop reading now, figure out who has access to these signing assets, how they are controlled, and how they are used.

Step 2: Information security professionals should look at the signing artifacts associated with code running in their environments and use them as a detective control versus a preventive control. While it may be easy to steal, buy, or generate new credentials, attackers do tend to rely on these certificates longer than particular binaries or C2 infrastructure. Signing credentials are simply more difficult for the adversary to replace. We can use this to help find them.

Step 3: More broadly, this situation is another opportunity for us to examine how we deal with trust. Do enterprises really know where the software they run comes from, and is this even a tractable problem? At the end of the day, users still will click the “yes” button when presented with illegitimate signatures.

Code signing isn’t a simple solution to the complex problem of trust. Controls create incentives for attackers to change their behaviors and make assets we might not always think of as critical to the business key targets. Signed malware will likely only become more common and the authors will keep trying to get their hands on what they need to produce signatures that bypass traditional controls. Just because a binary says it is from a source you think you trust, you should still keep a close eye on it.

Paul Drapeau is a Principal Security Researcher for Confer, which offers endpoint and server security via an open, threat-based, collaborative platform. Prior to joining Confer he led IT security for a public, global pharmaceutical research-and-development organization. He is ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.