Malicious files with fake digital signatures

Signing malicious files with fake signatures that at first glance seem authentic is one of the new methods used by malware writers to add an air of legitimacy to them and increase the probability of execution.

Symantec tells us about some files it received that were apparently signed by “Adobe Systems Incorporated”. What can be seen if you have a look under the hood is that the certificate cannot be verified, because “Verisign” – the Certificate Authority (CA) that supposedly vouches for the authenticity of the file – didn’t sign file with the private key that corresponds to the one used by the legitimate Verisign CA:

If you use Windows on which UAC is enabled, you will be explicitly warned:

If a file bears a signature, it is worth checking if it’s valid – It’s only a few seconds of work that can can save you a lot of trouble.




Share this