The Rise of Malware Exploiting Code Signing Certificates
In the arms race between malware authors and security software vendors, anti-virus companies need all the help they can get. Cryptography has tremendously aided in this fight as signed hashes of software cannot be practically spoofed. If a malicious actor were to modify legitimate software, the code signing integrity check would fail.
Microsoft aided by pushing software vendors to sign their code by requiring that all device drivers be signed.
Over the past years, there were several instances of break-ins at various device manufacturers with the single goal of obtaining poorly secured digital keys. The Stuxnet worm carried a valid digital signature in order to spread without alerting users to its presence.
Three University of Maryland at College Park researchers reported that from a total of 325 signed malware samples, 189 (58.2%) carried valid digital signatures while the remaining 136 (41.8%) samples carried malformed, invalid, or expired signatures.
The researchers downloaded 5 random unsigned ransomware samples that almost all anti-virus programs detected as malicious. They then took two expired certificates and used them to sign each of the five ransomware samples. With this one simple change, they discovered that many anti-virus products failed to detect the malware as malicious.
Kaspersky Labs, Microsoft (unclear if this was Windows Defender, Security Essentials, or some other product), TrendMicro, Symantec, and Comodo, and Palo Alto Networks failed to detect some of the known malicious samples when they had invalid and expired certificates attached to their code. Other affected anti-virus packages included CrowdStrike, Fortinet, Avira, Malwarebytes, SentinelOne, Sophos, TrendMicro and Qihoo. Recent ransomware outbreaks such as BadRabbit carried an invalid digital signature which means these AV vendors likely would have missed flagging BadRabbit as malicious.
The researchers wrote:
"We believe that this [inability in detecting malware samples] is due to the fact that AVs take digital signatures into account when filtering and prioritizing the list of files to scan, to reduce the overhead imposed on the user’s machine and the time required to scan. However, the incorrect implementation of Authenticode signature checks in many AVs gives malware authors the opportunity to evade detection with a simple and inexpensive method."
We have seen this story before where appliances are not built with scalability in mind and do not inspect every byte of data and blindly whitelist traffic from “trusted” services such as CDNs due to performance concerns. Zscaler applies the zero-trust model and Byte-Scan technology to scan every byte of data (Including SSL/TLS), whether it carries a valid digital signature or not.