More and more malware authors are switching to buying new, valid code signing certificates issued by Certificate Authorities instead of using stolen (compromised) ones, researchers have found.
They do not go directly to the CAs for that, but go through one of the vendors of Authenticode certificates offering the wares on underground forums, marketplaces and websites trading black market goods.
About code signing
A group of researchers from Masaryk University and University of Maryland have been looking into the underground trade of Authenticode certificates, which are used to sign all kinds of Windows portable executables.
“The digital signatures allow client platforms to identify the publisher who developed the software and to ensure the integrity of the signed executables. Each signature appended to an executable is accompanied by a code-signing certificate, which binds the signing key to the publisher’s real identity,” the researchers explained.
“Unlike the better studied Web PKI, the Authenticode PKI is opaque, as compromised certificates cannot be discovered systematically through network scanning and there is no official list of legitimate software publishers. This facilitates abuse, allowing miscreants to obtain code signing certificates and to produce valid digital signatures for malicious code.”
A valid signature/certificate does not guarantee that a software you have downloaded is safe, but it makes malicious software more likely to make it past Windows protections such as Microsoft Defender SmartScreen.
About the vendors
They identified four leading underground vendors of Authenticode certificates, and three of them are very active.
The researchers where also surprised to find that all vendors opt for selling the anonymous code signing certificates to the malware developers instead of providing a signing service for a fee.
“All vendors claim that their certificates are freshly issued, that is, that they have not been stolen in any way but obtained directly from a CA. Further, all vendors claimed that they sell one certificate into the hands of just one client, and some even offered free or cheap one-time reissue if the certificate was blacklisted too soon. Vendors did not appear to be concerned with revocation, often stating that it usually ‘takes ages’ until a CA revokes an abused certificate,” they shared.
“Some vendors even claim to obtain the certificate on demand, having the certificate issued once a customer pays half of the price. Interestingly, [one vendor] even claims that he always has a few publisher identities prepared and the customer can then choose which of these publisher names he wants to have his certificate issued on.”
The prices for standard code signing certificates range from $350 to $500 and those for EV certificates from $2,500 to $3,000.
Signed malware analysis
The researchers have also collected a dataset of recently signed malware and used it to study the relationships among malware developers, malware families, and certificates.
Among other things, they found that multiple certificates from signed malware tend to be issued to what appears to be one publisher company identity with slight variation in the publisher name (e.g., Ltd ”Vet Faktor”, LLC ”VET FAKTOR”, etc.), and that timing patterns of certificate abuse show that the vendors’ claims that they sell fresh certificates is more than likely true.
The malware developers seem not to be worried about burning their code signing certificates as there is apparently a reliable supply of new ones.
“Our results suggest that it is possible for specialized vendors to set up a reliable process for obtaining code-signing certificates from CAs. This warrants further investigation into the methods the vendors use to pass the CAs’ identity verification processes and into the best ways to prevent the abuse,” the researchers noted.
Their analysis allowed them to offer two ways to raise the bar for underground certificate vendors:
- CAs should standardize the way the publisher name is listed in the certificate.
- If a CA discovers a certificate that has been issued straight to the black market, they should investigate other certificates issued for similarly-named publishers.