back to article Hackers abusing digital certs smuggle malware past security scanners

Malware writers are widely abusing stolen digital code-signing certificates, according to new research. Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet …

  1. Anonymous Coward
    Anonymous Coward

    Certificate trust is broken

    You can't trust the root CA authorities. Period.

    1. Charles 9 Silver badge

      Re: Certificate trust is broken

      Well then, if you can't trust the root CA authorities, who CAN you trust?

      If you answer, "no one," then Trent doesn't exist anymore, and without Trent, Alice and Bob can't find a way to trust each other. You've basically killed the Internet as a useful means of communication since anything can be changed into anything else.

    2. TheVogon

      Re: Certificate trust is broken

      I know of one product that detects this type of thing - Payload Security's VX Stream Sandbox scanner... Any others anyone wants to suggest?

  2. 2+2=5 Silver badge

    Great news

    Malware creators may not even need to control a code-signing certificate. The Maryland Cybersecurity Centre team found that simply copying an authenticode signature from a legitimate file to a known malware sample — which results in an invalid signature — can cause antivirus products to stop detecting it.

    "This flaw affects 34 antivirus products, to varying degrees,

    Any chance of these chocolate teapots being named?

    1. Adam 1

      Re: Great news

      Sounds very goto fail

    2. tud0rcand3crypt

      Re: Great news

      The affected AVs are listed in Table 3 in the paper referenced in the article (at http://www.umiacs.umd.edu/~tdumitra/papers/CCS-2017.pdf).

  3. fidodogbreath Silver badge

    A cert is a cert, except when it isn't

    I've always thought that code signing was ripe for exploitation, unless the cert validation is limited to a very small list of accepted signing authorities. Under the current train wreck "system," a cert signed by a North Korean CA is just as "valid" as one signed by Microsoft.

    OK, maybe that was a bad example; but still...

    1. Anonymous Coward
      Terminator

      Re: A cert is a cert, except when it isn't

      @fidodogbreath: “a cert signed by a North Korean CA is just as "valid" as one signed by Microsoft.”

      What's preventing the root CA authority revoking the North Korean CA. I ask this in all ignorance as I am not an expert in digital cryptology.

  4. eswan

    From signedmalware.org-

    Serial Number Publisher Issuer

    00ACDB7F6460A6B323B6D2EAD85BC30CA6 Reg Revenue COMODO Code Signing CA 2

    Hmmmm.

  5. Anonymous Coward
    Anonymous Coward

    Or...

    Maybe your AV doesn't bother checking for a valid code signing certificate at all:

    https://github.com/HackerFantastic/Public/blob/master/tools/bypassavp.sh

  6. David Roberts Silver badge

    Antivirus doesn’t check signed code?

    Does the OS check that the signature is valid (correct checksum or whatever)?

    If the OS doesn't check that signed code is correctly signed then what is the point of signing code?

    If the OS has robust checks then it might be just about acceptable for the antivirus to skip a detailed check because it knows code with a fake signature won't be allowed to run anyway. Not that this seems particularly desirable but it would be interesting to know how much of a real world problem this is.

    Are we all at immediate risk or is this just a case of laziness/performance optimisation by the antivirus community with no real impact on the end user? Serious question. The article doesn’t say how worried we should be (if at all). No "get updating" message, for example.

    The obvious problem is a known virus correctly signed with a compromised certificate, which apparently isn't checked. The problem cited where a signature is just copied from good code and the check is skipped may be a problem or just a red herring.

    As others have said, name and shame please.

    1. tud0rcand3crypt

      Re: Antivirus doesn’t check signed code?

      (I am one of the authors of the research)

      In principle it is possible to enforce a strict whitelisting policy, where only programs from known and trusted publishers are executed, but in practice Windows and other OSes allow the execution of unsigned binaries (for example, a lot of open-source software is not signed). Windows would detect that a binary carries a bogus signature and may warn the user that the program comes from an unknown publisher, but that's the same warning given for unsigned programs. So if the OS would allow the execution of the unsigned malware, it would also execute the malware with a bogus signature -- the only difference is that the signature makes the binary look less suspicious to an AV.

      A recent example of malware using this trick is NotPetya, which had a bogus signature from Microsoft.

  7. Anonymous Coward
    Anonymous Coward

    Hackers abusing digital certs smuggle malware past WINDOWS security scanners

    Fixed your title.

    Down post at will lemmings.

  8. Anonymous Coward
    Terminator

    Code signing and digital Certs

    What's preventing the root CA authority from revoking these 'stolen' digital certs?

  9. Anonymous Coward
    Anonymous Coward

    CC Cleaner/Avast

    When Avast was purchasing CC Cleaner from Pririform (supposedly) a "Hacker" had compromised and inserted a backdoor into the popular CC Cleaner program.

    Avast eventually came out with an "updated" version of the CC Cleaner but it still contained the SAME software signing key as the tainted version before it.

    And then there is the curious case of the CIA forging Kaspersky's certs:

    https://www.theregister.co.uk/2017/11/10/cia_kaspersky_fake_certs_ploy/

    1. Charles 9 Silver badge

      Re: CC Cleaner/Avast

      "Avast eventually came out with an "updated" version of the CC Cleaner but it still contained the SAME software signing key as the tainted version before it."

      The key had not been tainted. The hackers had infiltrated the development server and inserted their code BEFORE it was signed: an "outside the envelope" attack. Since the key was still unknown, it was safe enough to close the dev server, audit the code to remove the malware, then re-compile and re-sign the updated version.

      "And then there is the curious case of the CIA forging Kaspersky's certs:"

      I don't know if it was forging as much as impersonation. I'll go you one better. Wasn't there a nasty malware spreading around some time that had been signed with Realtek's actual signing key (and Realtek like Kaspersky was a hot target as its audio chips are ubiquitous)?

      1. Anonymous Coward
        Anonymous Coward

        Re: CC Cleaner/Avast

        "I don't know if it was forging as much as impersonation. I'll go you one better. Wasn't there a nasty malware spreading around some time that had been signed with Realtek's actual signing key (and Realtek like Kaspersky was a hot target as its audio chips are ubiquitous)?"

        Thanks for the information!

        I will be looking into that.

        What is very curious is that I had suspected something was odd about Realtek quite some time ago when I first started my journey down the rabbit hole.

        (It's like you know me!)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021