Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Are Selling Legitimate Code-signing Certificates To Evade Malware Detection (zdnet.com)

Posted by msmash on from the security-woes dept.

Zack Whittaker, writing for ZDNet Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims. New research by Recorded Future's Insikt Group found that hackers and malicious actors are obtaining legitimate certificates from issuing authorities in order to sign malicious code. That's contrary to the view that in most cases certificates are stolen from companies and developers and repurposed by hackers to make malware look more legitimate. Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn't been tampered with in some way. Most modern operating systems, including Macs , only run code-signed apps by default.

4 of 50 comments (clear)

  1. More evidence that CAs are useless window dressing by FrankSchwab · · Score: 5, Insightful

    So, we've found out in the past that some Certificate Authorities are about as trustworthy as the guy offering you Rolex's from the back of his van. At least he's open with the fact that he'll sell one to anyone.

    From that, we realized that a modern browser has innumerable CAs that they trust - and any one of them can issue rogue certificates.

    And now we realize that, not only do we have to worry about those, we have to recognize that, because the certificate issuance process isn't handled inside the client company, that anyone who can acquire the credentials of someone who can login to Digicert or whoever, can issue rogue certificates. And keeping credentials secret has been shown in the current world to be almost impossible.

    And yet we continue to write checks to CAs for certificates that we can't trust.

    --
    And the worms ate into his brain.
  2. Revoke comes to mind by oldgraybeard · · Score: 2

    Isn't that the whole basis of the trust systems response? Is that certs can be revoked?

    Just wondering? I guess if you got bit in the mean time you would be irked. But future things could be stopped? Maybe? Wondering?

    Just my 2 cents ;)

    1. Re:Revoke comes to mind by mysidia · · Score: 2

      Isn't that the whole basis of the trust systems response? Is that certs can be revoked?

      The Revokation mechanism is desgined to help with the rare case that the code signer's public key is compromised. It's NOT designed to facilitate the CA doing safety reviews on code they've signed to identify it as malware and cancel the signature.

      For performance reasons.... the Valid/Revoked status is generally cached at a minimum, for example, and some clients won't necessarily even check for revokation without a patch/upgrade being sent out to manually blacklist the cert --- the HARD end date on a cert is the expiration date on the cert;
        and revokation is not a very dependable facility; at least not without additional measures.

  3. bad title by superwiz · · Score: 2

    Shouldn't it be "hackers are buying..." instead of "hackers are selling..."?

    --
    Any guest worker system is indistinguishable from indentured servitude.