Real World Code Signing Abuse Today presented at t2 2010

by Jarno Niemelä (F-Secure),

Tags: Development Security


Summary : Code signing systems are gaining more attention and becoming ever more important part of computer security. As the numbers of trojans, backdoors and other malware is all the time increasing, code signing systems are viewed as part of the solution for deciding that applications can be trusted and allowed to run in the system.

The basic idea of code signing, such as Microsoft Authenticode, is that as long as binary is signed it can be trusted as much as the vendor who produced the software. And in marketing code signing to public, this message is often simplified as if it's signed it can be trusted.

In ideal world, if every application would be signed, there would be no need to scan files, just decide whether you trust the vendor who signed the software or not.

However like any other trust system designed and implemented by humans, code signing systems can be subverted and abused to give false trust on malicious applications. There are already thousands of malicious applications and hundreds of thousands of potentially unwanted software out there, all with cryptographically valid code signing signature.

This presentation gives overview of code signing abuse as it happens today, what kinds of tricks are played against certification authorities issuing the keys, what kind of tricks are used to fool system administrators and forensic investigators trying to figure out whether given file can be trusted, and what kinds of actions malware can take in system to subvert code signing mechanisms once it has infected the system.

Jarno Niemelä: Jarno Niemelä has spent the past 10 years at F-Secure security lab working on mobile threats, scan engines and for past couple years on analyzing and identifying malicious behavior and automatic malware.