According to a recent report published by Kaspersky Lab the number of untrusted certificates used to sign malicious code is doubled in the last year.
The reason is that there is the wrong conviction the a code signed with a digital certificate is a secure code that could be executed without precautions.
“Many system administrators develop their corporate security policies by allowing users to launch only those files that are signed with a digital certificate. In addition, some antivirus scanners automatically consider a file to be secure if it is signed with a valid digital certificate.” states the report published on SecureList.
The experts revealed that by the end of 2014 they have discovered more than 6,000 digital certificates, for this reason the company is warning system administrators and users not to trust digital any application only because it is digitally signed.
“Virus writers steal and imitate valid signatures to reassure the users and anti-virus solutions that the file is safe. Kaspersky Lab has seen this technique used by advanced persistent threat actors for several years,” explained Andrey Ladikov, Head of Strategic Research at Kaspersky Lab.
There are numerous cases in the news in which malware authors have used digital certificates to sign malicious code, including the cyber weapon Stuxnet, the Winnti gang and the more recent Darkhotel APT.
The process for digitally sign the source of any application is composed by the following steps:
Verification of the integrity of the code is very simple, by using the developer public key stored in the digital certificate it is possible to decrypt the hash and compare it with the expected hash for the legitimate file.
The digital certificate contains the software developer’s public key, which can be used to decrypt the message and check the file’s integrity. It also contains information with which the software developers’ authenticity can be checked.
CA are the entities responsible for the verification of the identity of the certificate owner. Windows OS adds in its storage the certificate of the trusted CA.The certificates of the most authoritative CAs have undergone
“The certificates of the most authoritative CAs have undergone an audit and are automatically included into the storage and are delivered to users along with Windows updates. Certificates issued by other CAs can be added to the storage at the discretion of the user.”
The experts highlighted the importance to monitor software even if signed with a valid digital certificate, Kaspersky suggest to adopt an efficient Antivirus solution and invite companies and users to be compliant with security policies:
If you want to know more about abuses of digital certificates read my article “How Cybercrime Exploits Digital Certificates.”
(Security Affairs – digital certificates, malware)