Signed Malware Continues to Undermine Trust

The practice of using maliciously signed binaries continues to grow.  Digitally signing malware with legitimate credentials is an easy way to make victims believe what they are downloading, seeing, and installing is safe.  That is exactly what the malware writers want you to believe.  But it is not true.

2015 Q3 Total Malicious Signed Binaries.jpg

Through the use of stolen or counterfeit signing credentials, attackers can make their code appear trustworthy.  This tactic works very well and is becoming ever more popular as a mechanism to bypass typical security controls. 

The latest numbers from the Intel Security Group’s August 2015 McAfee Labs Threat Report reveals a steady climb in the total number of maliciously signed binaries spotted in use on the Internet.  It shows a disturbingly healthy growth rate with total numbers approaching 20 million unique samples detected.

Although it takes extra effort to sign malware, it is worth it for the attackers.  No longer an exclusive tactic of state-sponsored offensive cyber campaigns, it is now being used by cyber-criminals and professional malware writers, and is becoming a widespread problem.  Signing allows malware to slip past network filters and security controls, and can be used in phishing campaigns.  This is a highly effective trust-based attack, leveraging the very security structures initially developed to reinforce confidence when accessing online content.  Signing code began as a way to thwart hackers from secretly injecting Trojans into applications and other malware masquerading as legitimate software.  The same practice is in place for verifying content and authors of messages, such as emails.  Hackers have found a way to twist this technology around for their benefit.  

The industry has known of the emerging problem for some time.  New tools and practices are being developed and employed.  Detective and corrective controls are being integrated into host, data center, and network based defenses.  But adoption is slow which affords a huge opportunity for attackers. 

The demand for stolen certificates is rising.  Driven by the increasing usage and partly by an erosion effect of better security tools and practices, which work to reduce the window of time any misused signature remains valuable.  Malware writers want a steady stream of fresh and highly trusted credential to exploit.  Hackers who breach networks are harvesting these valuable assets and we are now seeing new malware possess the features to steal credentials of their victims.  A new variant of the hugely notorious Zeus malware family, "Sphinx", is designed to allow cybercriminals to steal digital certificates.  The attacker community is quickly adapting to fulfill market needs.  

Maliciously signed malware is a significant and largely underestimated problem which undermines the structures of trust which computer and transaction systems rely upon.  Signed binaries are much more dangerous than the garden variety of malware.  Until effective and pervasive security measures are in place, this problem will grow in size and severity.

Twitter: @Matt_Rosenquist

LinkedIn: http://linkedin.com/in/matthewrosenquist

Published on Categories SecurityTags , ,
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.