The practice of using maliciously signed binaries continues to grow. Digitally signing malware with legitimate credentials is an easy way to make victims believe that what they are downloading, seeing, and installing is safe. That is exactly what the malware writers want you to believe. But it is not true.
Through the use of stolen or counterfeit signing credentials, attackers can make their code appear trustworthy. This tactic works very well and is becoming ever more popular as a mechanism to bypass typical security controls.
The latest numbers from the Intel Security Group’s McAfee Labs Threats Report: August 2015 reveals a steady climb in the total number of maliciously signed binaries found in use on the Internet. The report shows a disturbingly healthy growth rate with total numbers approaching 20 million unique samples detected.
Although it takes extra effort to sign malware, it is worthwhile for the attackers. No longer an exclusive tactic of state-sponsored offensive cyber campaigns, signed malware is now used by cybercriminals and professional malware writers, and has become a widespread problem. Signing allows malware to slip past network filters and security controls, and can be used in phishing campaigns. This is a highly effective trust-based attack, leveraging the very security structures initially developed to reinforce confidence when accessing online content. Signing code began as a way to thwart hackers from secretly injecting Trojans into applications and other malware masquerading as legitimate software. The same practice is in place for verifying content and authors of messages, such as emails. Hackers have found a way to twist this technology around for their benefit.
The industry has known of the emerging problem for some time. New tools and practices are being developed and employed. Detective and corrective controls are being integrated into host, data center, and network-based defenses. But adoption is slow—which affords a huge opportunity for attackers.
The demand for stolen certificates is rising, driven by increasing use and partly by an erosion effect of better security tools and practices, which work to reduce the window of time any misused signature remains valuable. Malware writers want a steady stream of fresh and highly trusted credentials to exploit. Hackers who breach networks are harvesting these valuable assets, and we now see new malware possess the features to steal credentials of their victims. A new variant of the hugely notorious Zeus malware family, Sphinx, is designed to allow cybercriminals to steal digital certificates. The attacker community is quickly adapting to meet their needs.
Maliciously signed malware is a significant and largely underestimated problem that undermines the structures of trust which computer and transaction systems rely upon. Signed binaries are much more dangerous than the garden variety of malware. Until effective and pervasive security measures are in place, this problem will grow in size and severity.