Malware abusing digital signatures: VB2010 presentation highlights

Filed Under: Malware, SophosLabs

I recently presented my paper Want My Autograph? The use and abuse of digital signatures by malware at Virus Bulletin 2010. I will refrain from delving into the gory details of digital signatures heuristics that strongly indicate malware -- those interested can refer to the paper for that information. I will however highlight one of the key takeaways from my presentation, particularly how current digital signature handling falls short in helping prevent the spread of malware.

The problem starts when the bad guys get their hands on the private key corresponding to a certificate issued by a trusted Certificate Authority (CA), which can be accomplished by providing a phony business registration to the CA or by stealing the private key from an otherwise legitimate organization. Once equipped with a private key, the malware author can add a trusted digital signature to any malicious executable of their choosing. Making matters worse, even if the CA revokes the certificate for the abused private key, any digital signature made before the revocation date will remain valid -- as long as the signature was created with the date and time when the signature occurred. Hence, a malicious digital signature cannot always be revoked retroactively and, unfortunately, this is the more common scenario (e.g. Stuxnet).

This is certainly not the only problem with digital signatures -- a CA can also be impersonated with rogue certificates. For further thoughts on these issues and how digital signature handling can be improved to protect users, see the paper.

My colleague Pob also presented at VB2010 and has an excellent summary of his presentation on malicious PDFs, and the two of us joined forces with Chester Wisniewski in a VB2010 Conference roundup podcast.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s