Digitally signed malware is becoming routine

Even the bad guys are using code-signing certificates.

According to a recent report by McAffe http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide

"more than 200,000 new and unique malware binaries discover in 2012 have valid digital signatures"

What this means is that attackers are able to provide malware versions of applications and drivers that look like they come from legitimate sources. While most of the malware detected comes from test-signing attacks, which can be detected and disabled, the more problematic signed malware comes from certificates issued by compromised Certificate Authorities. A compromised CA can generate a signing certificate that imitates a popular vendor like Apple, Adobe, Google, or Microsoft.

Anti-malware vendors are aware of this and, if you're running an effective anti-malware scanner, it should detect malware even when it is digitally signed. The problem comes for people running operating systems without anti-malware scanners who are relying on digital signatures as a way of sorting legitimate code from the more nefarious stuff. Even if operating systems of the future only run signed code, it looks as though the malware authors of today have a way around it.

Follow me on twitter: @orinthomas

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.

Contributors

Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×