Pierluigi Paganini February 05, 2015

A recent report published by experts at Kaspersky Lab revealed that the number of abuses for digital certificates is in constant increase.

According to a recent report published by Kaspersky Lab the number of untrusted certificates used to sign malicious code is doubled in the last year.

The reason is that there is the wrong conviction the a code signed with a digital certificate is a secure code that could be executed without precautions.

“Many system administrators develop their corporate security policies by allowing users to launch only those files that are signed with a digital certificate. In addition, some antivirus scanners automatically consider a file to be secure if it is signed with a valid digital certificate.” states the report published on SecureList.

The experts revealed that by the end of 2014 they have discovered more than 6,000 digital certificates, for this reason the company is warning system administrators and users not to trust digital any application only because it is digitally signed.

“Virus writers steal and imitate valid signatures to reassure the users and anti-virus solutions that the file is safe. Kaspersky Lab has seen this technique used by advanced persistent threat actors for several years,” explained Andrey Ladikov, Head of Strategic Research at Kaspersky Lab.

There are numerous cases in the news in which malware authors have used digital certificates to sign malicious code, including the cyber weapon Stuxnet, the Winnti gang and the more recent Darkhotel APT.

The process for digitally sign the source of any application is composed by the following steps:

1. The software developer compiles the file.
2. A hash sum (MD5, SHA1, or SHA2) is calculated for the file.
3. That hash sum is encrypted with the software developer’s private key.
4. The obtained encrypted block of data and the digital certificate are added to the end of the file.

Verification of the integrity of the code is very simple, by using the developer public key stored in the digital certificate it is possible to decrypt the hash and compare it with the expected hash for the legitimate file.

The digital certificate contains the software developer’s public key, which can be used to decrypt the message and check the file’s integrity. It also contains information with which the software developers’ authenticity can be checked.

CA are the entities responsible for the verification of the identity of the certificate owner. Windows OS adds in its storage the certificate of the trusted CA.The certificates of the most authoritative CAs have undergone

“The certificates of the most authoritative CAs have undergone an audit and are automatically included into the storage and are delivered to users along with Windows updates. Certificates issued by other CAs can be added to the storage at the discretion of the user.”

The experts highlighted the importance to monitor software even if signed with a valid digital certificate, Kaspersky suggest to adopt an efficient Antivirus solution and invite companies and users to be compliant with security policies:

1. Do not execute code digitally signed  by an unknown  software vendor.
2. Use an antivirus solution, that manages a database of trusted and untrusted certificates.
3. Do not install a digital certificate from unknown certification centers in the storage.
4. Do not trust an application because it is signed with a trusted certificate. Carefully analyze the attributes of the certificates used to sign the application (i.e. Serial number, hash of the certificate)
5. Install the Microsoft MS13-098 update – it eliminates the error that can include additional data in the signed file without violating the file signature.

If you want to know more about abuses of digital certificates read my article “How Cybercrime Exploits Digital Certificates.”

Pierluigi Paganini

(Security Affairs – digital certificates, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]