'Want my autograph?': The use and abuse of digital signatures by malware presented at Virus Bulletin 2010

by Mike Wood (Sophos),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2010/abstracts/MWood.xml

Summary : "
Encryption has always been a part of malware, from basic ROT13 string encoding to multi-layered packing algorithms.
However, malware authors are rapidly discovering numerous ways to exploit the public key infrastructure (PKI) in addition
to their home-grown crypto.
With the many layers that make up the PKI - certificate issuance, verification, revocation and all of the protocols and
software that go in between - scammers have a multitude of vulnerabilities at their fingertips to abuse the overall system.
For instance, automated vetting for digital certificate purchases makes it a snap to anonymously set up a phishing or
rogue e-commerce site that is fully equipped with a certificate trusted by most major browsers. Moreover, malware authors
are able to masquerade their trojans as binaries from a legitimate source, using valid or invalid signatures, as most
users simply click through the related security warnings. Making matters worse, much of the endpoint software consuming
digitally signed content have their own weaknesses, including off-by-default certificate revocation checking mechanisms
as well as vulnerabilities in certificate parsing routines.
In addition to abuse, malware authors have also discovered ways to use the PKI for their own benefit, including extortion
(e.g. ransomware) and to achieve secure updates.
PKI abuse is a complex and multi-layered threat, which ultimately boils down to effectively managing an individual's trust
in something they do not fully understand. This fits in with a broader and growing trend of malware authors investing
more, both in terms of time and money, to build up trust in their malicious wares.
This paper captures the spectrum of digital signature use in malware - the abuses, the technical and social challenges,
and possible approaches to turn the criminals' investment in their fraudulent reputation into appropriate protection
mechanisms."