Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11:15 AM
Paul Drapeau
Paul Drapeau
Connect Directly
E-Mail vvv

Stop Trusting Signed Malware: 3 Steps

Cybercriminals who manipulate valid signatures and certificates to get malware into an organization is a more common tactic than you think.

There has been no shortage of news about malware bearing valid signatures. Most recently, Cryptowall ransomware was discovered with signing credentials that appear to have been validated by a popular certificate authority. Similarly, news broke a few weeks back that HP’s signing credentials were stolen and used to sign malware.

In theory, code signing allows an end user or enterprise to have confidence that software is produced by an author they trust. Manipulating these systems to get malware into an environment is more common than most people think. Malware authors can steal, purchase, or privately generate signing credentials and associated certificates. Our recent research shows they are frequently doing all three. We’re reminded that whitelisting and application management systems that rely on certificates to establish trust are, at best, insufficient to protect the endpoint.

Researchers at Confer recently examined the signing artifacts of roughly 25,000 malware samples caught in the wild over the last year. In this relatively small sample set, we observed many examples of attackers misusing legitimate or quasi-legitimate credentials.

In one case, a certificate that was issued to a legitimate software company in the United States was used to sign payloads in drive-by exploit kits. We saw this cert in nine different malware samples over the course of several weeks. All of them had valid code signatures.

This may sound surprising but the reuse of certificates in malware is common. We saw the same credentials showing up in hundreds of samples over months. In fact, based on this data set, once compromised, a certificate will be used on over 50 samples and for a period of more than 190 days.

We also saw many samples with “invalid” signatures or certificates issued by private certificate authorities (CAs), often with confusing names. The attacker’s goal is to trick end users into accepting software installs. It seems likely that attackers are generating their own credentials and certificates for this purpose.

Finally, we saw several samples with valid signatures and valid certificate chains that do not appear associated with any legitimate producer of software, indicating that attackers are procuring these certificates through legitimate channels. They are buying legitimate certs from established certificate authorities. This appears to also have been the case with the recent Cryptowall example.

Now what?
There are several things this data tells us and about can we improve security in the enterprise.

Step one: Every CIO, CISO, and engineering manager who’s signing code needs to protect his code signing keys, passphrases, and CA infrastructure by designating someone in the company to be responsible for recommending, implementing, and monitoring effective controls around the keys and signing infrastructure.

These are valuable assets and an extension of a company’s brand. But all too often, they are carelessly maintained, widely distributed, and procured in a decentralized manner. No company wants its name attached to the next devastating piece of ransomware. If you are developing code, stop reading now, figure out who has access to these signing assets, how they are controlled, and how they are used.

Step 2: Information security professionals should look at the signing artifacts associated with code running in their environments and use them as a detective control versus a preventive control. While it may be easy to steal, buy, or generate new credentials, attackers do tend to rely on these certificates longer than particular binaries or C2 infrastructure. Signing credentials are simply more difficult for the adversary to replace. We can use this to help find them.

Step 3: More broadly, this situation is another opportunity for us to examine how we deal with trust. Do enterprises really know where the software they run comes from, and is this even a tractable problem? At the end of the day, users still will click the “yes” button when presented with illegitimate signatures.

Code signing isn’t a simple solution to the complex problem of trust. Controls create incentives for attackers to change their behaviors and make assets we might not always think of as critical to the business key targets. Signed malware will likely only become more common and the authors will keep trying to get their hands on what they need to produce signatures that bypass traditional controls. Just because a binary says it is from a source you think you trust, you should still keep a close eye on it.

Paul Drapeau is a Principal Security Researcher for Confer, which offers endpoint and server security via an open, threat-based, collaborative platform. Prior to joining Confer he led IT security for a public, global pharmaceutical research-and-development organization. He is ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...