Coming conundrum: Malware signed by a legitimate developer

Cyber criminals are stealing code-signing certificates, allowing their malware to get by some defenses

Signed code has become one of the common measures used to secure various computing platforms. Relatively young operating systems -- such as Apple's iOS and Google's Android -- require that all code be signed using a valid developer signature. More traditional PC operating systems use code signing only for certain system features, such as signing updates and drivers.

Yet cyber criminals and other attackers are starting to use signed code to evade security measures by stealing legitimate certificates from software developers, then using the certificates to sign their malicious programs. Earlier this week, security firm F-Secure posted an example of such an attack, where a malicious PDF file had been signed using a certificate -- now expired -- issued to a Malaysian government agency.

Signed malware "is problematic, as an unsigned Windows application will produce a warning to the user if he downloads it from the Web -- signed applications won't do this," writes Mikko Hypponen, chief research officer for F-Secure. "Also, some security systems might trust signed code more than unsigned code."

In follow-up comments, Hypponen stresses that signed malware is still uncommon and that in 99 percent of cases, a self-signed certificate is used, which typically is not considered trusted.

But data from antivirus firm AVG shows that the nascent problem is growing. In 2009, the company detected about 30,000 malicious programs signed with legitimate -- albeit stolen or fraudulently issued -- certificates. The next year, that number increased by a third and is on track to triple in 2011.

Developers can help fight the trend by securing their certificate keys, says Yuval Ben-Itzhak, AVG's CTO. "In many software companies, the certificate to sign the code is sitting on the developer's machine in plain text," he says. "Companies should make sure that they are securing the code and the digital certificate from being stolen."

This story, "Coming conundrum: Malware signed by a legitimate developer," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.