Browser

Legitimate Digitally Signed Certificates for Sale on Dark Web

News on malware attack targeting Mac or Windows is certainly nothing new for internet users today. To make matters worse, variants like boot viruses, rogue file attachments and macro viruses have already come in limelight. If you think that everything begins and ends at malware, you are wrong. It’s just a sign of things yet to come, consider this as an alarming bell.

A recent study conducted by Cyber Security Research Institute (CSRI) revealed, how digital code signing certificates are at risk. Stuxnet worm was first of this kind which was used to compromise Iranian nuclear enrichment process in 2005. A recent example of abuse of digital code signing certificate was the attack on CCleaner.

Digital Code Signing Certificates:

A Digital Certificate is like an identity card, which provides an identity to an individual or company. They are issued by trusted certificate authority (CA).

 img src: SSL.org

Certification authorities issue digital certificates to approve holder’s identity and authority. A public key along with other identifying information is embedded into each digital certificate issued to an individual or company. These certificates are cryptographically signed, authenticating the data integrity and validating its use.

A computer application or software with digital certificate is trusted by the computer and allows program execution without any warning message.

How are Digital Certificates at Risk?

Legitimately signed digital certificates are on sale on Dark Web at a price of up to 1,200$ (per certificate). Hackers use these certificates to link their malicious code with trusted software vendors, reducing the risk of malware being detected. Thus, they easily bypass targeted networks and users machine security.

Do I need to worry? 

A team of security researchers from the University of Maryland, College Park, Doowon Kim, BumJun Kwon and Tudor Dumitras have found that digitally signed malware is prevalent. A total of 325 signed malware samples have already been discovered. Out of which 189 have valid digital signatures.

“Such malformed signatures are useful for an adversary: we find that simply copying an Authenticode signature from a legitimate sample to an unsigned malware sample may help the malware bypass AV detection,” the researchers said.

27 of these compromised certificates have already been revoked, although for now the remaining 84 certificates are still trusted by the system until revoked.

“A large fraction (88.8%) of malware families rely on a single certificate, which suggests that the abusive certificates are mostly controlled by the malware authors rather than by third parties,” the trio said (Doowon Kim, BumJun Kwon and Tudor Dumitras from the University of Maryland, College Park).

Src: thehackernews.com

Even after the certificates have been revoked, researchers have found that cyber criminals will not be stopped immediately from abusing it. Since some antivirus programs fail to recognize the malicious program in the revoked certificates. That is, malicious code will run on the system without any hindrance.

Hackers can easily add the malicious code to any of the valid Microsoft-signed Windows system files or to Microsoft Office file. Therefore, hiding from the security applications as the files signed by Microsoft are added to the whitelist of security program. This is done to avoid false detection which can cause deletion of critical system files and system crash.
What Can I do to Stay Protected?

“Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures.” reads the paper “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI.”

This is indeed a serious matter, hackers having access to the valid certificates means nothing is secure. As an anti-virus program and the system will not be able to identify these threats. It is now easy to evade an anti-virus program.

You can check the list of certificates abused by attackers at signedmalware.org.

Leave a comment