Digitally Signed Malware Growing

Monday, March 19, 2012 @ 02:03 PM gHale

There are multiple malware threats that use stolen digital certificates to sign their components in an attempt to avoid detection and bypass Windows defenses.

Stuxnet surprised the security industry with its use of rootkit components digitally signed with certificates stolen from semiconductor manufacturers Realtek and JMicron.

Cisco Patches Security Appliance Holes
Embedded Systems Still Unprotected
Patched Hole Doesn’t Stop Attackers
Malware Shifts from Safe to Malicious

Security experts predicted at the time other malware creators would adopt the technique in order to bypass the driver signature enforcement in 64-bit versions of Windows Vista and 7.

A backdoor discovered by Symantec in December installed a rootkit driver signed with a digital certificate stolen from an unidentified company. The certificate ended up revoked by VeriSign at the owner’s request nine days later.

However, the time window available for the malware to remain undetected was larger than that, because Windows operating systems rarely check certificate revocation lists (CRL), or don’t check them at all, said Symantec principal software engineer Mircea Ciubotariu.

However, even if Windows would check lists regularly, it wouldn’t make much of a difference for malware already signed with the revoked certificates, because blocking such files is impractical, said Costin Raiu, Kaspersky Lab’s director of global research and analysis.

Raiu gave the stolen Realtek certificate used in Stuxnet as an example. “If Microsoft were to block the loading of all known files signed with that certificate, probably millions of users of RealTek hardware from around the world would find their motherboards, network cards, etc. inoperable,” he said. “Therefore, Microsoft cannot block the execution or loading of files signed with stolen certificates.”

A different malware component identified by Kaspersky Lab ended up signed with a certificate stolen from a Swiss company called Conpavi AG. “The company is known to work with Swiss government agencies such as municipalities and cantons,” said Kaspersky Lab expert Vyacheslav Zakorzhevsky.

The threat ends up detected as Trojan-Dropper.Win32/Win64.Mediyes and is part of a click fraud scheme. However, the signed component is not a driver, but the actual malware installer, also known as the dropper.

Malware authors want signed installers and not just the drivers, because some antivirus solutions assume that digitally signed files are legitimate and don’t scan them, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender.

Kaspersky Lab and BitDefender have confirmed seeing a steady increase in the number of malware threats with digitally signed components during the last 24 months.

Leave a Reply

You must be logged in to post a comment.