The Rise of Digitally Signed Malware

As newer operating systems that either require digitally signed drivers, such as the 64bit version of Vista and Windows 7, or will prompt a user before allowing installation, like the Vista and Windows 7 32bit counterparts, digitally signed malware will become more and more prevalent. FSecure has already noticed this trend. As of July 2010, they had found close to 24,000 examples of digitally signed malware.

Stuxnet, as was well publicized, also utilized valid signed certificates from at least two companies. The interesting thing with Stuxnet was that the malware did not try to sneak its way through a code verification process or forge a certificate, rather it used valid stolen certificates. As processes for verifying code improve as well, stealing valid certificates will likely become the method du jour for getting past driver signing requirements and AV scans for both targeted and non-targeted malware. The Zeus bot looks for any certificates stored on an infected host and siphons them off to the controller for possible later use. A recent targeted attack detailed on the ContagioDump blog highlights the use of a stolen certificate used to sign an infected Powerpoint slide used in a spear-phishing attack. Also, stolen certificates from a credit union were used to sign malware utilizing a then Adobe PDF 0-day last September, according to Softpedia.

There are at least two problems that are implied by the above examples. First, its apparent that developers are not doing due diligence in protecting their own certificates and private keys. This shouldn’t have to be said, but software certificates stored on a development box that has Internet access is not a good idea. Ideally, but also more expensive and cumbersome, hardware certificates should be used to sign code. Likewise, signing certificates should be kept on a separate host that does not touch the rest of the network or the Internet.

The other problem is the wide-scoping inherent trust given to any signed certificate from a valid Certificate Authority. Why would my system inherently trust software that says it was developed by a credit union? Right now, the answer is because the Certificate Authority (in this case Verisign) told it to. Having a more controlled code signing authority would at least make malware authors have to target specific types of entities rather than anyone with a digital signing certificate.

About the Author