Signed Malware
Stuxnet famously used legitimate digital certificates to sign its malware. A research paper from last year found that the practice is much more common than previously thought.
Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What’s more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. The researchers, who presented their findings Wednesday at the ACM Conference on Computer and Communications Security, found another 136 malware samples signed by legitimate CA-issued certificates, although the signatures were malformed.
The results are significant because digitally signed software is often able to bypass User Account Control and other Windows measures designed to prevent malicious code from being installed. Forged signatures also represent a significant breach of trust because certificates provide what’s supposed to be an unassailable assurance to end users that the software was developed by the company named in the certificate and hasn’t been modified by anyone else. The forgeries also allow malware to evade antivirus protections. Surprisingly, weaknesses in the majority of available AV programs prevented them from detecting known malware that was digitally signed even though the signatures weren’t valid.
mike acker • February 2, 2018 7:14 AM
there are many CA resources, and lots of x.509 certs.
so much so the process becomes meaningless.
what needs to happen is simple: any cert — or public key, for that matter — that is to be used for a critical application — such as installing software, or filing a Forms 1040, &c — should be countersigned by the user.
this is all in the original documentation of PGP, in the discussion of Trust Models: we all accept the CA certs as fully trusted — because the OEM told us to.
not good
i don’t think it reasonable to expect everybody and their brother to learn to use PGP/GPG to sign certificates or Public Keys — and to maintain a Trust Model. But we do need to move forward on this, and tighten up the sails.
Packaged Technology
we need to find a way to package this technology. I took my daughter to the credit union for a new account. at the end of the process she was offered an “app” for her phone. but this is the point where the encryption keys need to be generated, verified, and validated.
a “smart” phone is probably not a suitable device for this purpose though. we should not mix entertainment with business. not in the office and not in a computer.