The 189 malware samples bearing valid digital signatures were signed by 111 unique certificates. One is software publishers who mismanage the private keys they use to sign their wares. The researchers identified two other key weaknesses in code-signing regimens that allow forgeries to flourish. "However, the incorrect implementation of Authenticode signature checks in many AVs gives malware authors the opportunity to evade detection with a simple and inexpensive method." Advertisement "We believe that this is due to the fact that AVs take digital signatures into account when filter and prioritize the list of files to scan, in order to reduce the overhead imposed on the user's host," the researchers wrote. On average, the malformed signatures reduced the overall detection rate by 20 percent. Even well-known AV engines from Commodo, TrendMicro, Microsoft, Symantec, and Kaspersky Lab had problems, failing to detect 6, 3, 2, 2, and 1 of the known malicious samples, respectively. Three AV programs-nProtect, Tencent, and Paloalto-had the most trouble, reporting eight of the 10 files as benign. When analyzing the resulting 10 files, the AV programs to varying degrees failed to detect they were malicious. The researchers then took two expired certificates that previously had been used to sign both legitimate software and malware and used the certificates to sign each of the five ransomware samples. To prove the point, the researchers downloaded five unsigned ransomware samples that AV programs almost universally detected as malicious. The failure, the paper reported, is the result of faulty implementations of Microsoft's Authenticode specification. As a result, the AV programs often failed to detect malware that was known to be malicious. "The findings also raise important concerns about the security of the code signing ecosystem." AdvertisementĪn accompanying research paper, titled Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI, found that even when a signature isn't valid because it doesn't match the cryptographic hash of the file being signed, at least 34 AV programs to some degree failed to identify the easy-to-spot error. "Our results show that compromised certificates pose a bigger threat than we previously believed, as it is not restricted to advanced threats and that digitally signed malware was common in the wild before Stuxnet," Tudor Dumitraș, one of three professors at the University of Maryland, College Park, who performed the research, told Ars. Surprisingly, weaknesses in the majority of available AV programs prevented them from detecting known malware that was digitally signed even though the signatures weren't valid. The forgeries also allow malware to evade antivirus protections. Forged signatures also represent a significant breach of trust because certificates provide what's supposed to be an unassailable assurance to end users that the software was developed by the company named in the certificate and hasn't been modified by anyone else. The results are significant because digitally signed software is often able to bypass User Account Control and other Windows measures designed to prevent malicious code from being installed. The researchers, who presented their findings Wednesday at the ACM Conference on Computer and Communications Security, found another 136 malware samples signed by legitimate CA-issued certificates, although the signatures were malformed. In total, 109 of those abused certificates remain valid. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. What's more, it predated Stuxnet, with the first known instance occurring in 2003. Now, researchers have presented proof that digitally signed malware is much more common than previously believed. Following its discovery in 2010, researchers went on to find the technique was used in a handful of other malware samples both with ties to nation-sponsored hackers and, later on, with ties to for-profit criminal enterprises. One of the breakthroughs of the Stuxnet worm that targeted Iran's nuclear program was its use of legitimate digital certificates, which cryptographically vouched for the trustworthiness of the software's publisher. Enlarge / The two legitimate signing certificates Stuxnet used to bypass Windows protections.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |