Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

View previous topic View next topic Go down

Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by ssj100 on 16/3/2012, 10:23

http://www.pcworld.com/businesscenter/article/251925/digitally_signed_malware_is_increasingly_prevalent_researchers_say.html
Security companies have recently identified multiple malware threats that use stolen digital certificates to sign their components in an attempt to avoid detection and bypass Windows defenses.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 17/3/2012, 19:47

WTF? ???

According to that article, some antimalware applications won't scan files, just because they're digitally signed and assume they're safe?


Malware authors are interested in signing installers and not just the drivers, because some antivirus solutions assume that digitally signed files are legitimate and don't scan them, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender.

That has got to be a joke, right? lol!


Both Kaspersky Lab and BitDefender have confirmed seeing a steady increase in the number of malware threats with digitally signed components during the last 24 months. Many use digital certificates bought with fake identities, but the use of stolen certificates is also common, Craiu and Botezatu said.

The bolded part (it's my emphasis) is rather interesting, because it just shows how the whole Certificate Authorities is just a fiasco. When using a digitally signed application/accessing a digitally signed online service, you're not trusting the author of the application/the service themselves. Not in a direct way. You're trusting that the CAs did a GOOD job making sure that the person asking for the digital certificate is the REAL person, and not a bogus one.

This clearly shows that... probably... most of them do nothing to make sure ALL is OK.

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by kjdemuth on 17/3/2012, 20:53

Comodo is one of them. It's been an issue for a while. Unless you change your configuration it won't scan digital signed files. I think that it was setup this way to increase scanning speed and cut down on HIPS alerts. I think in theory it should work but only if the CA are diligent on selling cert's.

kjdemuth
Member
Member

Posts : 10
Join date : 2011-01-23

View user profile

Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 17/3/2012, 21:46

kjdemuth wrote:[...]I think in theory it should work but only if the CA are diligent on selling cert's.

In theory it's actually great to be like that. But, in practice, as we can see, not only the bad guys fake their identities to get digital certificates, as they also use stolen ones. So, this all whitelisting by digital signatures must be reconsidered and find a better way. These security vendors should have a database of known good hashes.

I suppose having a database of known good hashes would be better than the flawed digital signatures method of whitelisting. Perfect? No. But, certainly better. It would require extra work, yes... and that's something that, probably, they do not want on their side. Suspect

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by wat0114 on 18/3/2012, 19:34

I just don't see the concern here if one downloads they're software from the vendor's site. Maybe my viewpoint seems too simplistic, but this approach has never failed me.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 18/3/2012, 20:04

wat0114 wrote:I just don't see the concern here if one downloads they're software from the vendor's site. Maybe my viewpoint seems too simplistic, but this approach has never failed me.

The problem is not much if you download from the vendor's official web site. The problem, and I'm generally speaking, is that, imagine you got a default-deny policy, allowing execution of certain publishers only. If we consider, generally speaking, that malware breaches are possible, then we'd have a breach in the default-deny policy, because all the malware authors need to do is steal digital signatures.

Let's say one allows execution of CCleaner, which is a digitally signed application. We allow the execution by Publisher. All the malware author needs to do is steal that digital signature, apply it to his/her malware, and our default-deny policy would be bypassed.

Just imagine a drive-by download, for instance. A user doesn't really need to download something on his/her own.

This is the true danger of the stolen digital certificates. Not only that, but also that, as I previously mentioned, when you download/access a service that is digitally signed, we're trusting that the CAs did a very good job verifying that the person/people who requested the digital certificate are legitimate.

For instance, and considering I mentioned CCleaner above, many people decided to trust Piriform, right? Most likely not even due to it being a digitally signed application. But, if we think about it, we should be questioning ourselves Did the CA, who sold the digital certificate to Piriform, do a very good job verifying the legitimacy of the people behind CCleaner? Or, did they just sell it to them?.

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by wat0114 on 18/3/2012, 20:08

Some good points you mention but it's the actual binary file that one needs to be concerned about, so if I download, as in your example, CCleaner from the vendor's site, why would that binary file be infected? As for driveby downloads, I feel I'm more than adequately protected against those anyways.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 18/3/2012, 20:27

Yes, we need to be concerned about the binary file. That's the whole point I was trying to make. lol!

But, if we bring the CAs into the equation, we do need to ask whether or not they did a very good job verifying the legitimacy of the people requesting the certificates. Being Piriform made of well intentioned people or not. That's beside the point. CAs exist, digital signatures are important, and CAs must make sure the people requesting them are the real people and not simply person A pretending to be person B, to get the certificate.

CCleaner was just an example. But, you don't have to think about software, in what comes to CAs. Think about your bank.

Your bank, hopefully, has an encrypted service between you and the server. The bank could very well use a self-signed digital certificate, but that wouldn't inspire much trust that you're dealing with the real people. Or, does it? Wink

Now, what your bank does is request a certificate to a CA. And, the CA must make sure that the people requesting the certificate is actually the bank and not someone pretending to be the bank.

In most cases, they don't do that, at all. They just sell the certificates. Which is why CAs are a fiasco.

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 18/3/2012, 20:28

Then, we have the problem with antimalware applications not analysing digitally signed files, because the vendors assume they're clean... due to the trust "we" put in CAs.

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by wat0114 on 18/3/2012, 23:08

I'm just talking about the websites I obtain the software from. If it's a site I trust, then I trust the people who run them and their intentions of developing and providing trustworthy software on those very sites.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 19/3/2012, 03:39

wat0114 wrote:I'm just talking about the websites I obtain the software from. If it's a site I trust, then I trust the people who run them and their intentions of developing and providing trustworthy software on those very sites.

Right. And, that's a fair argument. But, you need to see the digital certificates as being something offering accountability. If Authenticode guidelines are strictly followed, you know who to blame, as in oposition to the many of the anonymous software developers.

For example, we are both software developers. I happen not to digitally sign my software. My identity is unknown. On the other hand, you provide digitally signed software. That means that, if the CAs did a very good job at verifying who you are - they know your identity - then people have a mean to account you responsible for something.

While a digitally signed application doesn't mean it's a safe application, it does offer you accountability.

To be honest, I'm not arguing if it's that important or not. Maybe for many it is, specially in an enterprise environment, which is why digital certificates exist. Who knows... scratch

So, it's this accountability offering that's broken. And, it's broken because CAs don't follow strict guidelines when a publishers requests a digital certificate. Basically, there's no chain of trust.

Anyway, there are 3 points people, generally speaking, should be concerned about:

1. CAs aren't doing that much of a good job, either by making sure you're the real person requesting the certificate or protecting their servers;
2. Considering 1., it means that malware authors can request a certificate or steal one, without problems.
3. Malware authors are using digital certificates, that are stolen from known good software, so that they can bypass detection.

Strictly speaking, you should care about the binary file and make sure the binary is clean; but, then we also have the CAs, which should be providing the factor accountability, but we cannot rely on that, because the trust chain is broken... it has been for a very long time.

And, once again, if we bring CCleaner into it, you'll see there's a perfectly good reason why they digitally sign their application, using a "trustworthy" CA. They don't do it because it's fashion; they do it for the accountability. I suppose it makes people feel safer...

For instance, on Windows 64-bit version you cannot install unsigned drivers. Does it mean that digitally signed drivers are safe? It only means you'll have someone who to blame... lol!

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by wat0114 on 19/3/2012, 06:30

Maybe I don't take the threat that seriously? Suspect It's just that in all the years of downloading from known trusted sites without getting compromised by malicious files, it's just not something I feel the need to pay much attention too, and then if something doesn't install the way I would expect it to or it just doesn't behave "right" then I would immediately re-boot and restore my last good image to right the ship again Smile

In short: I don't doubt digitally signed malware is more prevalent, but I somehow feel it's existence is far more likely to be found on some dubious warez or similar site, as opposed to a well known and typically trusted site. If i avoid the dubious sites in obtaining my downloads, I probably avoid the malicious files. IOW, and this alludes to your statement on accountability via digital singed files, I've never honestly placed too much significance in the digital signatures as much as I have the locations of the files I download. After all, over the years I've downloaded many unsigned files that were perfectly safe, probably because I obtained them from sites I could trust.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 19/3/2012, 07:43

wat0114 wrote:Maybe I don't take the threat that seriously? Suspect It's just that in all the years of downloading from known trusted sites without getting compromised by malicious files, it's just not something I feel the need to pay much attention too, and then if something doesn't install the way I would expect it to or it just doesn't behave "right" then I would immediately re-boot and restore my last good image to right the ship again Smile

To be honest, the only time I came across malware/fradulent software using a stolen digital certificate, was when I deliberately hunted them down. Laughing I actually believe it was when I reported my findings over Wilders Security Forum for fraudulent services using names such as Malwarebytes Anti-Malware, avast!, etc. And, this was perhaps more than a year ago? I don't recall. But, I remember those "services" were using stolen digital signatures. The actual names of the software didn't even match. What a Face

Anyway, for most people, this wouldn't even matter, at all. I mean, most people get screwed without malware authors having to resort to this approach. There's phishing, social engineering... Why bother stealing digital certificates, right? Although, maybe... who knows... because they know antimalware apps won't scan digitally signed apps, the trend may actually escalate to avoid detection. I mean, if it's easy enough to steal, then why not? Mad

The biggest concern would be in enterprise environments, where good security policies should be in place, and where possibly default-deny configurations with Publisher rules, though. In this scenario, it would make sense to use stolen digital certificates, so they could bypass this kind of security.

For the rest, the binary file is really what you should care for. Which is why antimalware applications shouldn't let a file pass, just because it's digitally signed. This is simply stupid.


In short: I don't doubt digitally signed malware is more prevalent, but I somehow feel it's existence is far more likely to be found on some dubious warez or similar site, as opposed to a well known and typically trusted site. If i avoid the dubious sites in obtaining my downloads, I probably avoid the malicious files. IOW, and this alludes to your statement on accountability via digital singed files, I've never honestly placed too much significance in the digital signatures as much as I have the locations of the files I download. After all, over the years I've downloaded many unsigned files that were perfectly safe, probably because I obtained them from sites I could trust.

Also, to be honest, trusting a certificate so that you can legally charge somebody due to something, is pure crap. Take the example of big corporations. They have dedicated teams of layers that write EULAs that actually can be used against you. You're actually the one to be blamed for something. lol

Smaller software developers... well... they usually have very small EULAs only saying you're using the software as is, and they're basically telling you to **** ***.

The idea of digital certificates would be great, provided that the CAs did a good job and it wouldn't be possible for malware authors to steal them. This way, you could have security policies preventing elevation of unsigned software, and that would mean malware couldn't elevate its rights either. Nothing of this works, anyway. silent

Nor the idea that a website on https is safe either. The CAs would also have to make a good job verifying the identity of the people request the certificate, and to actually secure way better their own servers.

The whole chain of trust has been broken for a very long time. This is nothing but bu$ine$$. Sleep In theory is a nice thing, in practice way too flawed.

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by wat0114 on 19/3/2012, 19:55

m00nbl00d wrote:

The idea of digital certificates would be great, provided that the CAs did a good job and it wouldn't be possible for malware authors to steal them. This way, you could have security policies preventing elevation of unsigned software, and that would mean malware couldn't elevate its rights either. Nothing of this works, anyway. silent

That is an ideal use of digitally signed files, but I guess as long as they can be stolen, it's an approach that should probably be avoided. I suppose another approach, although one with higher maintenance overhead, would be the use of hash rules for verified files. The trouble with this, of course, is that the hash rules need to be updated whenever a file is updated. Finally, and by far the easiest, is to simply use path rules, ensuring to create exceptions for sub-directories that can be written to and allow execution. However, even with these latter two approaches, the files still have to be verified safe before installing, so now I'm not so sure if these ideas would be any better than the Publisher one scratch

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Guest on 19/3/2012, 21:39

I suppose it's a two egded sword.

On one hand, there's the problem with the certificates, and hence a problem with Publisher rules; on the other hand, Hash rules require more extra time to maintain those same rules and eventually not lock yourself out of the system Laughing , and Path rules may also allow malware to run, if somehow the malware manages to get into one of such paths.

Not to mention, as you said, we must be sure the files are safe. But, the same would apply to Publisher rules, as well. Just because a file is digitally signed doesn't necessarily mean it's safe.

I suppose the best solution is a combination of both Path (for Program Files and Windows) and Hash for anything outside of those locations.
It would, of course, require a more restrict environment due to Path rules. Otherwise, if something manages to get into one of such locations, it gets green card. Unlike with Publisher rules (due to the real CAs situation), it probably would be a lot easier to have a more restricted environment.

I use the Path + Hash combination. I don't use Publisher, and simply because I don't trust CAs enough.

Guest
Guest


Back to top Go down

Re: Digitally Signed Malware Is Increasingly Prevalent, Researchers Say

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum