back to article Stuxnet-style code signing of malware becomes darknet cottage industry

Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor. In one case, a hacker tricked a legitimate certificate authority into issuing digital …

  1. Zog_but_not_the_first
    Devil

    These days...

    What with Win 10 etc., who are the crims?

  2. Paul Crawford Silver badge
    Unhappy

    Just goes to show how fundamentally broken the certificate system of trust is though.

    1. Warm Braw Silver badge

      Even if it worked perfectly, it's only a chain of identity trust - that the person/organisation is the same as the identity they're claiming. And since you can create a legal identity with an off-the-shelf company, that trust is pretty valueless in itself. Moreover, there's no chain of trust of intention - or very little of any practical value. You can't get that without the operating system applying the same granularity of access controls to third-party components (and, ideally, first-party components) as it does to user processes.

      In short, it's all broken. Have a nice day!

    2. LDS Silver badge

      It's broken because it became a business - just like selling domains. I'm not surprised to see the usual names - Comodo, Thawte, GoDaddy - listed, as long as they can get money, they're going to sell everything. Both domains and certificate should be far harder to get, and it shouldn't be a pure open business. It's a business that should be highly regulated to ensure only legitimate users get them, and "mistakes" are quickly spotted and fixed - or big fines apply.

      1. Warm Braw Silver badge

        >It's broken because it became a business

        It's broken because it's hard - businesses may have taken the easy way out, but governments struggle if they try to be more rigorous. If you try too hard to get proof of "identity" (and that's a more slippery concept than you might imagine), you simply exclude more people from access to services or entrench large monopolies by raising barriers to new entrants. That's bad for business and bad for citizens.

        1. Anonymous Coward
          Anonymous Coward

          Furthermore, these theoretical monopolies can become targets for industrial espionage. How many of these certificates being passed through the black market, for example, possibly came direct from the firms themselves, copied by a careful spy? After all, if you can get the driver signing key for a major component manufacturer like Realtek (which is what Stuxnet used), then you're pretty much sitting pretty because a much-used certificate that goes back years will be difficult to revoke without massive collateral damage.

    3. Anonymous Coward
      Anonymous Coward

      Also goes to show how fundamentally broken ANY system of trust is. Fundamentally, there is simply no way for Alice to be all that sure that she is talking to the one and only Bob if they've never met before. At some point, you're going need to just trust what's in front of you, but you can always be fooled at this point of First Contact.

      1. Paul Crawford Silver badge

        @AC

        It is not just the problem of how Alice and Bob know they are not talking through Eve, but the fact that any one of hundreds of buggers can issue a certificate to Eve matching Alice and/or Bob. It only takes one of those to fail and the trust link is useless.

        Just think of a RAID-0 strip with 600 flaky disks...

        1. Charles 9 Silver badge

          Re: @AC

          Or a RAID-0 where one of the drive firmwares has been pwned. Basically, trust on the Internet is a pipe dream yet you need trust to make communications work, meaning we're basically screwed. ANY trust system we can think up, someone else can subvert (like using shills to subvert a Web of Trust).

    4. Mpeler
      Pirate

      All Your Boot Are Belong To Us

      This has me wondering about UEFI and SecureBoot. It's bad enough that Micro$haft think they own your kit, but with "bad actors" oot and aboot, it could just get much, much worse.

      Somehow when I heard M$ saying it would make booting absolutely secure, the first thing that came to mind was "and then, when they're hacked"... (WInXP and XP SP1 anyone?).

      All Your Boot Are Belong To Us it appears.

      Now where did that steampunk PC go...

      1. Anonymous Coward
        Anonymous Coward

        @Mpeler - Re: All Your Boot Are Belong To Us

        This has never been about security. Microsoft knew a lot of people might flee from its Windows as a service gift so they figured out a preemptive move. SecureBoot it is about control, it makes sure you will run the version of Windows Microsoft wants you to run and nothing else.

      2. Anonymous Coward
        Anonymous Coward

        Re: All Your Boot Are Belong To Us

        "Somehow when I heard M$ saying it would make booting absolutely secure, the first thing that came to mind was "and then, when they're hacked"... (WInXP and XP SP1 anyone?)."

        Although, to be fair, it seems most of the big boys take great care to make sure their most important signing keys never see the light of day (it should be a black-box operation under normal circumstances). At least this way, no one can make a rogue bootloader that can pass the Secure Boot check (Bootloader signature checking is at least one security method that has been too difficult to crack for the most part; this is true here, in the portables arena, and with embedded hardware like Tivo's).

  3. Anonymous Coward
    Anonymous Coward

    Nice to see that

    These folks are end running government agencies and corporatations. Too bad it puts us all at risk, but that's what you get when you use outdated, flawed technology to secure sensitive information.

    Might as well use self-signed certificates. The ones you pay for from the big Certificate Authorities might well be worthless. In any case, how could you be sure?

    1. Anonymous Coward
      Anonymous Coward

      Re: Nice to see that

      How can you be sure the algorithms used to generate self-signed certificates are any good?

      1. Anonymous Coward
        Anonymous Coward

        Re: Nice to see that

        I don't know they're any better. But why pay for trust we know is broken?

  4. David Pollard

    As the man who gave up and went to care for elephants said

    Just remember you have to trust some of the people some of the time in order to know who not to trust.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021