There are tons of software available which makes it difficult to ascertain the legitimacy of a particular one. A wrong download can damage a device or compromise user privacy and security. Code signing, by and large, solves this problem except in case of malicious programmes obtaining these certificates.
Code signing is a process where a certification authority cryptographically signs software to differentiate between legitimate and a malicious one. The latter has no valid certificates and thus are, by default, invalid and untrustworthy. As depicted by Trend Micro’s research, malware operators have managed to obtain valid certificates and are using the malware under the garb of legitimacy.
How can malware obtain certification?
The security researchers note that many malware programs had certification signatures from trusted authorities. Similarly, in a study, the Chronicle found that 3,815 malware were digitally signed by a certificate authority. Though it is difficult to obtain signatures from the authorities, many have been able to do so. But the question remains — where do these attackers obtain the certification? Here are a few ways:
- Black markets are operating across the internet that sells the certificates. Researchers from Masaryk University along with the Maryland Cybersecurity Centre found out that four vendors were using black market for selling certificates. The size of the market can be gauged from the fact that in just 104 days, one vendor collected $16,150 in revenue from the sale of certificates.
- Another possible way to obtain validation is to steal it from a publisher — a method widely used from 2003-2014. This method, however, does not guarantee future certificates but it is free nonetheless.
- A malware programmer can set up shell companies or can impersonate a legitimate one and can try to obtain certificates. This means that the programmer will have to pay the required fee and also pass the vetting process. The certificates are reliable and are likely to scale better but the intentions of the buyer in such situations remain questionable.
- Sometimes, an operator uses malware to install SSL certificates and bypass the security. Operation Emmental was one such case where the hackers used malware to install a new root Secure Socket Layer (SSL) certificate which prevents the browser from warning the user.
How to protect the device?
Since code-signed malware have valid certificates they are difficult to detect by anti-virus software, which is unable to differentiate between malicious software and a legitimate one. This malware is used for highly selective targeting. Stuxnet malware, for example, targeted Iranian nuclear establishment and used fake certification from Realtek Corp. However, we can certainly take a few precautions, as mentioned below.
- Keeping the anti-virus software updated.
- Regularly updating the system.
- Abstaining from clicking on malicious links.
- Using secure email services such as ProtonMail.
- Browsing securely via a proxy server or VPN.
For further information about malware, check out this article.
How to fix code-signing in the malware?
Fraudulent code signing can be prevented on different levels:
- The certifying authorities must take extra precautions while issuing certificates. They should be able to detect a legitimate company from a fake one.
- The anti-virus companies should tighten the security and must treat a fraudulent certificate as having no signature at all.
- The companies must protect the private key at all costs. One way is to store the private key on hardware rather than on the network. The hardware, then, should be stored somewhere safe.
- Companies can also apply for the Extended Validation signing certificate. Extended validation certificate requires a more stringent vetting process and are harder to obtain.
Featured image by Marco Verch Professional Photographer and Speaker | Flickr