Are signed files safer than others?

Mike Wood of SophosLabs Vancouver presented “Want my autograph? The use and abuse of digital signatures by malware” at the 2010 Virus Bulletin conference. Mike’s talk was focused on the trust that people and technology put into certificates and how criminals are taking advantage of weaknesses in the chain of trust in the hope you may be tricked.

Mike explained how the use of certificates, whether for signing software or for HTTPS websites, rely on a chain of trust. Attackers are taking advantage of several factors that exploit weaknesses in that chain, allowing them to “piggyback” on this trust in several ways.

His paper provides statistics from SophosLabs showing the growing abuse of certificates for signing malware and how increasingly the bad guys are using stolen or even legitimately purchased certificates to fool security software and Windows.

Legitimate certificate issued to Fake AV payment sites

He also spent a fair bit of time explaining the different ways criminals use social engineering throughout the process of scamming people using the misplaced trust of end users.

Ultimately Mike believes that the anti-virus industry can use practices such as reputation of different certificate authorities or even certificates themselves to make proper decisions on the users behalf to help keep them safe.

Mike made an astute observation during his session that bears repeating here. He said “It’s rather bizarre you can buy an identity product anonymously”. If certificate authorities want our trust, they are going to have to earn it.

My takeaway is that signed does not mean safe and if we want to use certificates as a measure of trust we need to rethink the current methodology. Improvements are needed, but we shouldn’t throw the baby out with the bath water.