Certificate trust is broken
You can't trust the root CA authorities. Period.
Malware writers are widely abusing stolen digital code-signing certificates, according to new research. Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet …
Well then, if you can't trust the root CA authorities, who CAN you trust?
If you answer, "no one," then Trent doesn't exist anymore, and without Trent, Alice and Bob can't find a way to trust each other. You've basically killed the Internet as a useful means of communication since anything can be changed into anything else.
Malware creators may not even need to control a code-signing certificate. The Maryland Cybersecurity Centre team found that simply copying an authenticode signature from a legitimate file to a known malware sample — which results in an invalid signature — can cause antivirus products to stop detecting it.
"This flaw affects 34 antivirus products, to varying degrees,
Any chance of these chocolate teapots being named?
I've always thought that code signing was ripe for exploitation, unless the cert validation is limited to a very small list of accepted signing authorities. Under the current train wreck "system," a cert signed by a North Korean CA is just as "valid" as one signed by Microsoft.
OK, maybe that was a bad example; but still...
Does the OS check that the signature is valid (correct checksum or whatever)?
If the OS doesn't check that signed code is correctly signed then what is the point of signing code?
If the OS has robust checks then it might be just about acceptable for the antivirus to skip a detailed check because it knows code with a fake signature won't be allowed to run anyway. Not that this seems particularly desirable but it would be interesting to know how much of a real world problem this is.
Are we all at immediate risk or is this just a case of laziness/performance optimisation by the antivirus community with no real impact on the end user? Serious question. The article doesn’t say how worried we should be (if at all). No "get updating" message, for example.
The obvious problem is a known virus correctly signed with a compromised certificate, which apparently isn't checked. The problem cited where a signature is just copied from good code and the check is skipped may be a problem or just a red herring.
As others have said, name and shame please.
(I am one of the authors of the research)
In principle it is possible to enforce a strict whitelisting policy, where only programs from known and trusted publishers are executed, but in practice Windows and other OSes allow the execution of unsigned binaries (for example, a lot of open-source software is not signed). Windows would detect that a binary carries a bogus signature and may warn the user that the program comes from an unknown publisher, but that's the same warning given for unsigned programs. So if the OS would allow the execution of the unsigned malware, it would also execute the malware with a bogus signature -- the only difference is that the signature makes the binary look less suspicious to an AV.
A recent example of malware using this trick is NotPetya, which had a bogus signature from Microsoft.
When Avast was purchasing CC Cleaner from Pririform (supposedly) a "Hacker" had compromised and inserted a backdoor into the popular CC Cleaner program.
Avast eventually came out with an "updated" version of the CC Cleaner but it still contained the SAME software signing key as the tainted version before it.
And then there is the curious case of the CIA forging Kaspersky's certs:
"Avast eventually came out with an "updated" version of the CC Cleaner but it still contained the SAME software signing key as the tainted version before it."
The key had not been tainted. The hackers had infiltrated the development server and inserted their code BEFORE it was signed: an "outside the envelope" attack. Since the key was still unknown, it was safe enough to close the dev server, audit the code to remove the malware, then re-compile and re-sign the updated version.
"And then there is the curious case of the CIA forging Kaspersky's certs:"
I don't know if it was forging as much as impersonation. I'll go you one better. Wasn't there a nasty malware spreading around some time that had been signed with Realtek's actual signing key (and Realtek like Kaspersky was a hot target as its audio chips are ubiquitous)?
"I don't know if it was forging as much as impersonation. I'll go you one better. Wasn't there a nasty malware spreading around some time that had been signed with Realtek's actual signing key (and Realtek like Kaspersky was a hot target as its audio chips are ubiquitous)?"
Thanks for the information!
I will be looking into that.
What is very curious is that I had suspected something was odd about Realtek quite some time ago when I first started my journey down the rabbit hole.
(It's like you know me!)
Biting the hand that feeds IT © 1998–2021