Valid Digital Certificates Code Signing Malware

Introduction

For more than a decade, digital certificates served as trust vouchers making it possible for people and organizations to operate online.  Digital certificates – SSL and code signing - provide the greatest assurance possible that websites and applications are genuine and safe to use.

Recent years were marked by highly publicized CAs (Certificate Authorities) or TSPs (Trust Service Providers according to European taxonomy) security breaches that threatened to undermine the confidence of the entire system. ENISA published in 2016 an Info Note describing some of these incidents and last year the world learned about ROCA (Return of the Coppersmith’s Attack), a vulnerability in the RSA keys generation impacting many smart cards and trusted platform module implementations.

If this was not enough, we are now observing a growing number of incidents with stolen certificates that are digitally code signing malware and masking malicious intentions. The situation is not new - Stuxnet worm that targeted Iranian nuclear processing facilities in 2010 used valid digital certificates. This Info Note reviews recent incidents with stolen valid certificates code signing malicious software.

Contextual Information

Digitally code-signed malware has become much more common in recent years to mask malicious intentions. Security researchers from ESET recently discovered a new malware campaign abusing stolen valid digital certificates from Taiwanese tech-companies, signing malware and making it look like legitimate applications. Furthermore, researchers at Masaryk University, and Maryland Cybersecurity Center (MCC), recently published a research - “Measuring the Underground Trade in Code Signing Certificates” - identifying trusted code signing certificates sold in dark web marketplaces. The high demand for these stolen certificates is generating large interest and profits for cyber criminals, researchers found.

Two malware families - previously associated with cyberespionage group BlackTech – code signed by certificates belonging to Taiwanese networking equipment manufacturer and a security company, were recently identified. The first malware, dubbed Plead, is a remotely controlled backdoor designed to steal confidential documents and spy on users. The second malware is also a related password stealer designed to collect saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.

The Code Signed Certificates

The Code Signing Certificates (CSC) also known as Software Publisher Certificates (SPC), implements the PKI framework and x.509 v3 standard [RFC5280]. These verify that the signed code has not been altered and the source that developed the code can be trusted by the person installing the software. Software publishers obtain a code signing certificate from TSPs through a vetting process where the identity is verified. Although a digital signature does not guarantee that the software is safe to execute, it helps to establish trust and ensures that an executable program has not been tampered with or replaced by malware.

Incidents with Code Signed Certificates

Having access to valid digital signatures, cyber criminals are able to deploy malicious software capable of bypassing platform protections and anti-virus scanners. These valid code signing certificates normally associated with trusted entities, reduce the possibility of malicious software being detected in enterprise networks, intrusion detection systems and end-point security software. Network security appliances performing deep packet headers analysis become less effective when legitimate SSL/TLS traffic initiated by malicious software. The main issue relays with the processes of undoing, revoking and resigning code signing certificates. These operations involve a certain degree of complexity for software publishers and often not correctly implemented.

There have been a number of high profile cases with significant impact in users trust, involving code signing certificates issued by well-known TSPs such as Comodo, Thawte, and Symantec. Excluding security breaches with TSPs (described in a previous ENISA Info Note) the majority involved the theft of private keys (Dell, RealTek, JMicron, Duqu, Malaysian Government, Opera, Bit9, Adobe and D-Link).

Recommendations

In 2016, ENISA published an Info Note titled Certificate Authorities - The Weak Link of Internet Security providing several recommendations that are still valid today. More recently, ENISA published a report drawing important recommendations for TSPs. An important aspect to it is the obligation for TSPs to notify these type incidents, already inforce by Article 19 on eIDAS regulation.

In relation to Code Signing Certificates abuse, real-time certificate validity check in situations such as undoing, revoking and resigning would contribute to reduce this type of incidents.

A list of recommendations to mitigate the risks with code-signed certificates abuse:

• Software publishers to implement additional checks asserting code signing certificates validity.
• Owners of digital certificates to consider these as high value assets and implement adequate security policies and procedures to protect certificates and cryptographic keys from theft or loss.
• Once malicious activity covered by legitimate traffic is identified, users are urged to contact the TSPs for incident disclosure and insert the compromised certificate into the revocation list (CRL) as per RFC5280.
• TSPs to provide quicker response to incidents that involve the abuse of revoked certificates and follow the incident report obligation as per Article 19 of eIDAS regulation.

Closing Remarks

Trust is the cornerstone of the digital ecosystem and code signing certificates as one of the foundational components. The certification landscape has been under scrutiny for the multiple security incidents and breaches haunting the Digital Trust Model. In the particular case of code signing certificates, users expect that when a digital certificate is revoked, all security endpoints and intrusion detection systems immediately alert and block any malicious software of abusing it, what is clearly not the case.  Furthermore, extensive due diligence and oversight of software publishers using code signing certificates is required to regain confidence. The future of code signing certificates should not relay exclusively on TSPs and software publishers, rather a collective effort that includes software industry players adopting trust-by-design and policy makers introducing supervision and regulation.