Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Hackers Are Selling Legitimate Code-signing Certificates To Evade Malware Detection (zdnet.com) 50

Zack Whittaker, writing for ZDNet Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims. New research by Recorded Future's Insikt Group found that hackers and malicious actors are obtaining legitimate certificates from issuing authorities in order to sign malicious code. That's contrary to the view that in most cases certificates are stolen from companies and developers and repurposed by hackers to make malware look more legitimate. Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn't been tampered with in some way. Most modern operating systems, including Macs , only run code-signed apps by default.
This discussion has been archived. No new comments can be posted.

Hackers Are Selling Legitimate Code-signing Certificates To Evade Malware Detection

Comments Filter:
  • by Anonymous Coward
    Can I purchase a cert that helps?
  • "Most modern operating systems, including Macs , only run code-signed apps by default." 1. Acquire source 2. $COMPILER 3. ./a.out I must not understand, anything really. Can someone clear this up, or is this just some slow Sunday news?
    • by Anonymous Coward

      Your point is well taken. There are tons of ways to run unsigned code. Ignore that factual mistake. The point is that CAs are a very weak point in the system (as we all knew). Turns out delegating the keys to your kingdom, so to speak, isn't the best idea. The stewards of public trust, in this area like most others, are corrupt and greedy.

    • google are so hard! https://www.manpagez.com/man/1... [manpagez.com]

    • Are you asking "why can I compile and run locally-built apps?"

      Macs (and I think Windows) set a special attribute on files that have been downloaded from potentially untrustworthy sources, like downloading from the internet. It's not completely correct to say that Macs will only run signed apps by default. Rather, by default, they only run apps which are downloaded from an untrusted source if they are signed with a valid code certificate. Needless to say, a locally compiled application doesn't have this a

    • by Jaime2 ( 824950 )

      It means that ZDNet copied and pasted text from a barely readable article at RecordedFuture, and made no effort to figure out what the original author was trying to say. The RecordedFuture article was mostly of the "the sky is falling" type, with very little actual analysis, so figuring out what they were trying to say wouldn't have helped all that much anyways.

      At the end of the day, what they were saying was that anti-malware software often uses a scoring system and code that's signed with a legitimate cer

  • by FrankSchwab ( 675585 ) on Sunday February 25, 2018 @04:53PM (#56184917) Journal

    So, we've found out in the past that some Certificate Authorities are about as trustworthy as the guy offering you Rolex's from the back of his van. At least he's open with the fact that he'll sell one to anyone.

    From that, we realized that a modern browser has innumerable CAs that they trust - and any one of them can issue rogue certificates.

    And now we realize that, not only do we have to worry about those, we have to recognize that, because the certificate issuance process isn't handled inside the client company, that anyone who can acquire the credentials of someone who can login to Digicert or whoever, can issue rogue certificates. And keeping credentials secret has been shown in the current world to be almost impossible.

    And yet we continue to write checks to CAs for certificates that we can't trust.

    • by Z00L00K ( 682162 )

      It doesn't have to be the CA in this case, it's enough if the developer has been compromised in some way, even more so if a major company has been compromised.

      Imagine if someone could sign their program with the Microsoft certificate - it would be a major effort to quench that mess.

    • When people attribute a trait to something that doesn't have it, is it said something's fault to not have it?

      A certificate does not say that something is safe. Only that whoever claims to be the originator really is the originator. If you enter your online banking credentials for your SuperOnlineBank into the (certificated) site hxxps://superonlinbank.com, whose fault is it? If you took a look at the certificate (or the URL, for that matter) you could easily have seen that you're not dealing with who you wa

    • by gweihir ( 88907 )

      Indeed. And when I took a course on "authentication systems" about 3 decades ago, this potential problem was already well-known.

  • by oldgraybeard ( 2939809 ) on Sunday February 25, 2018 @05:49PM (#56185161)
    Isn't that the whole basis of the trust systems response? Is that certs can be revoked?

    Just wondering? I guess if you got bit in the mean time you would be irked. But future things could be stopped? Maybe? Wondering?

    Just my 2 cents ;)
    • by mysidia ( 191772 )

      Isn't that the whole basis of the trust systems response? Is that certs can be revoked?

      The Revokation mechanism is desgined to help with the rare case that the code signer's public key is compromised. It's NOT designed to facilitate the CA doing safety reviews on code they've signed to identify it as malware and cancel the signature.

      For performance reasons.... the Valid/Revoked status is generally cached at a minimum, for example, and some clients won't necessarily even check for revokation withou

      • If that is true, what is the purpose? Why do we use it? Just my 2 cents ;)
        • It's mostly not entirely dependable because it happens so rarely (or happened, at least) that we still keep finding loopholes and faulty implementations.

        • by Jaime2 ( 824950 )

          The purpose is to allow for a mechanism to recover from CA compromise, discovered protocol weakness, or private key compromise. If implemented properly, it would serve these purposes well. Unfortunately, the implementation of Certificate Revocation List checking has historically favored ease of access over security. It wasn't until a few years ago that some major web browsers checked for revocation at all.

          There are many reasons for this failure. Some security professional don't like the whole idea of the CA

  • by superwiz ( 655733 ) on Sunday February 25, 2018 @06:33PM (#56185279) Journal
    Shouldn't it be "hackers are buying..." instead of "hackers are selling..."?
    • by MobyDisk ( 75490 )

      Yes, but no. The article says that hackers hack into Apple, Comodo, or Symantec and use their credentials to generate and sell certificates. So hackers are selling the certificates, and buying the certificates too.

  • They're not selling certificates. The CAs are selling the certificates, which are public documents once they're created.

    The "hackers" are selling the private keys that correspond to the certificates.

    This is a perfectly sensible, if unethical, business model. The incentive to keep the key private is to avoid diluting (usually to nothing) the value of certificate as a proof of provenance. Someone who obtains a code-signing certificate with the intent of selling the key doesn't have that incentive.

    And the head

That does not compute.