Code Signing

The amount of signed malware has increased over the last years.

Trusted Code Signing

The intention of signing was to create trust and to increase the security. The code signing certificates are normally issued by a certification authority. They are verified and confirm the identity of the certificate requester. Since mobile app stores requiring that all apps are signed, the number of signed application is growing fast. While some adversaries will trying to buy a signed certificate from an authority, there are also several cases where they just steal legitimate certificates from vendors and reuse them. For the case that a private key is leaked or stolen, or a certificate is used for malicious purpose there is the Certificate Revocation List(CRL). Each compromised certificate should be added to this public list and the operating systems should check against it if a certificate is still legitimate. Because of several drawbacks of the CRL Lists there are alternative solution like OCSP and OCSP-Stapling.

Signed Malware

The number of signed malware has increased over the last years. According to the TREND Report from 20181, depending on the malware type more than 50% is signed. Some were signed with stolen certificate and some were issued to malware authors due tofailuress in the verification process. There is also malware that is notproperlyy signed. A detailed study can be found in the research paper Certified Malware: Measuring Breaches of Trust in the WindowsCode-Signing PKI2

Reasons to sign Malware

Signed binaries are often trusted by the operating system. Over the last years, more and more operating systems only allowing signed applications to be installed. It is also often less suspicious, when a binary is signed, therefore it is often used by malware that tries to stay hidden.

Downsides of signing Malware

It is harder to rapid development and release new malware. If a sample of malware gets detected, there is a high chance that the certificate will be revoked. With this, all current deployment of the malware are easy to located and burned.

  1. TREND Micro 2018 Report ↩︎

  2. Research Paper: Certified Malware ↩︎

← Cheat Sheet
Definition of Risk →