A group of researchers demonstrated that malware signed with stolen Digital code-signing certificates continues to bypass security software.
A recent study conducted by the Cyber Security Research Institute (CSRI) revealed that stolen digital code-signing certificates are available for sale for anyone to purchase on the dark web for up to $1,200.
Digital code-signing certificates are a precious commodity in the criminal underground, digital certificates issued by a trusted certification authority (CA) are used to cryptographically sign software that is trusted by security solutions for execution on your machine.
Digitally signing malicious code could allow its execution on a machine, bypassing security measures in place.
One of the first malicious codes abusing digital code-signing certificates was the Stuxnet worm that was used to compromise Iranian nuclear enrichment process in 2005. Back to the present, the recent attack against the supply chain of the CCleaner software also leveraged a signed tainted version of the popular application to avoid the detection.
The security researchers Doowon Kim, BumJun Kwon and Tudor Dumitras from the University of Maryland, College Park have investigated the phenomena. The research team has found a total of 325 signed malware samples, of which 189 (58.2%) carried valid digital signatures while 136 carry malformed digital signatures.
The team published a research paper titled “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI.”
“Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures.” reads the paper.
“It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the
broader malware landscape”
The researchers reported that 189 malware samples signed correctly were generated using 111 compromised unique certificates issued by trusted CAs and used to sign legitimate software.
The experts have published the list of certificates abused by attackers at signedmalware.org.
“We identify 325 signed malware samples in our data set. Of these, 189 (58.2%) samples are properly signed while 136 carry malformed digital signatures, which do not match the binary’s digest” states the paper.
“Such malformed signatures are useful for an adversary: we find that simply copying an Authenticode signature from a legitimate sample to an unsigned malware sample may help the malware bypass AV detection,” explained the researchers.
At the time of writing, 27 of these compromised certificates had been revoked, the experts highlighted that executable files signed with one of the 84 certificates that were not revoked may still be valid.
“At the time of writing, 27 of these certificates had been revoked. While all the abusive certificates in our data set had expired, executable files signed with one of the 84 certificates that were not revoked may still be valid, as long as they carry a trusted timestamp obtained during the validity of the certificate” continues the paper
“A large fraction (88.8%) of malware families rely on a single certificate, which suggests that the abusive certificates are mostly controlled by the malware authors rather than by third parties,”
The experts explained that even after a stolen certificate is revoked it will not stop crooks from abusing them immediately.
The researchers found that at least 34 antivirus software failed to check the validity of digital certificates, allowing malicious code to run on the infected system.
The experts also conducted an experiment to determine if malformed signatures can affect the anti-virus detections, they downloaded 5 random unsigned ransomware samples that almost all anti-virus programs detected as malicious, then they signed their code using two expired certificates.
According to the experts, many anti-virus software failed to detect the malware.
“However, the impact of this attack varies with the AV products. The top three AVs affected are nProtect, Tencent, and Paloalto. They detected unsigned ransomware samples as malware, but considered eight of out our ten crafted samples as benign. Even well-known AV engines, e.g. Kaspersky, Microsoft, Symantec, and Commodo,
allow some of these samples to bypass detection.” explained the researchers.
“We believe that this [inability in detecting malware samples] is due to the fact that AVs take digital signatures into account when filter and prioritize the list of files to scan, in order to reduce the overhead imposed on the user’s host,”
“However, the incorrect implementation of Authenticode signature checks in many AVs gives malware authors the opportunity to evade detection with a simple and inexpensive method.”
The researchers reported this issue to the affected antivirus companies, in one case the company confirmed that their product fails to check the signatures correctly.