Categories: Malware

Risks related to the use of digital certificates

A recent report published by experts at Kaspersky Lab revealed that the number of abuses for digital certificates is in constant increase.

According to a recent report published by Kaspersky Lab the number of untrusted certificates used to sign malicious code is doubled in the last year.

The reason is that there is the wrong conviction the a code signed with a digital certificate is a secure code that could be executed without precautions.

“Many system administrators develop their corporate security policies by allowing users to launch only those files that are signed with a digital certificate. In addition, some antivirus scanners automatically consider a file to be secure if it is signed with a valid digital certificate.” states the report published on SecureList.

The experts revealed that by the end of 2014 they have discovered more than 6,000 digital certificates, for this reason the company is warning system administrators and users not to trust digital any application only because it is digitally signed.

“Virus writers steal and imitate valid signatures to reassure the users and anti-virus solutions that the file is safe. Kaspersky Lab has seen this technique used by advanced persistent threat actors for several years,” explained Andrey Ladikov, Head of Strategic Research at Kaspersky Lab.

There are numerous cases in the news in which malware authors have used digital certificates to sign malicious code, including the cyber weapon Stuxnet, the Winnti gang and the more recent Darkhotel APT.

The process for digitally sign the source of any application is composed by the following steps:

  1. The software developer compiles the file.
  2. A hash sum (MD5, SHA1, or SHA2) is calculated for the file.
  3. That hash sum is encrypted with the software developer’s private key.
  4. The obtained encrypted block of data and the digital certificate are added to the end of the file.

Verification of the integrity of the code is very simple, by using the developer public key stored in the digital certificate it is possible to decrypt the hash and compare it with the expected hash for the legitimate file.

The digital certificate contains the software developer’s public key, which can be used to decrypt the message and check the file’s integrity. It also contains information with which the software developers’ authenticity can be checked.

 

CA are the entities responsible for the verification of the identity of the certificate owner. Windows OS adds in its storage the certificate of the trusted CA.The certificates of the most authoritative CAs have undergone

“The certificates of the most authoritative CAs have undergone an audit and are automatically included into the storage and are delivered to users along with Windows updates. Certificates issued by other CAs can be added to the storage at the discretion of the user.”

The experts highlighted the importance to monitor software even if signed with a valid digital certificate, Kaspersky suggest to adopt an efficient Antivirus solution and invite companies and users to be compliant with security policies:

  1. Do not execute code digitally signed  by an unknown  software vendor.
  2. Use an antivirus solution, that manages a database of trusted and untrusted certificates.
  3. Do not install a digital certificate from unknown certification centers in the storage.
  4. Do not trust an application because it is signed with a trusted certificate. Carefully analyze the attributes of the certificates used to sign the application (i.e. Serial number, hash of the certificate)
  5. Install the Microsoft MS13-098 update – it eliminates the error that can include additional data in the signed file without violating the file signature.

If you want to know more about abuses of digital certificates read my article “How Cybercrime Exploits Digital Certificates.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – digital certificates, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

4 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

22 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.