Are signed files safer than others?

Filed Under: Malware, Social networks

Mike Wood of SophosLabs Vancouver presented "Want my autograph? The use and abuse of digital signatures by malware" at the 2010 Virus Bulletin conference. Mike's talk was focused on the trust that people and technology put into certificates and how criminals are taking advantage of weaknesses in the chain of trust in the hope you may be tricked.

Mike explained how the use of certificates, whether for signing software or for HTTPS websites, rely on a chain of trust. Attackers are taking advantage of several factors that exploit weaknesses in that chain, allowing them to "piggyback" on this trust in several ways.

His paper provides statistics from SophosLabs showing the growing abuse of certificates for signing malware and how increasingly the bad guys are using stolen or even legitimately purchased certificates to fool security software and Windows.

Legitimate certificate issued to Fake AV payment sites

He also spent a fair bit of time explaining the different ways criminals use social engineering throughout the process of scamming people using the misplaced trust of end users.

Ultimately Mike believes that the anti-virus industry can use practices such as reputation of different certificate authorities or even certificates themselves to make proper decisions on the users behalf to help keep them safe.

Mike made an astute observation during his session that bears repeating here. He said "It's rather bizarre you can buy an identity product anonymously". If certificate authorities want our trust, they are going to have to earn it.

My takeaway is that signed does not mean safe and if we want to use certificates as a measure of trust we need to rethink the current methodology. Improvements are needed, but we shouldn't throw the baby out with the bath water.

, , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.