It was Ronald Regan who famously said, “Trust – but verify.” Two weeks ago we reported on one of the most confusingly convoluted scenarios to hit website security so far this year, when SSL/TSL cert reseller Trustico’s plan to rid customers of certificates issued by Symantec and subsidiaries ended in a Twitter spat between Trustico and DigiCert, followed by 23,000 private customer keys being leaked via email and the Trustico website temporarily shutting down.
This week, a new study titled: ‘Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates’ was released by American and Czech researchers, investigating various forms of abuse that allow malware authors to produce malicious code carrying - yet valid - digital signatures.
The study suggests that illicit code-signing certificates being sold by underground vendors are part of a rising trend triggered by the increasing use of Microsoft’s Windows Defender SmartScreen. SmartScreen is a feature included with Windows 10 that acts as an additional layer of security, alerting users if they download files or access websites without valid certificates.
When SmartScreen encounters a certificate for the first time, it alerts the user, who has to click-through a warning in order to proceed. However, for just a few thousand dollars, it’s possible to purchase a certificate that SmartScreen will see as trustworthy. The study suggests that SmartScreen use “plays a growing role” in the trend.
The study took an in-depth look at two aspects of the trade: first, it investigated four leading vendors of Authenticode certificates. Next, it collected a data set of recently signed malware and used that to “study the relationships among malware developers, malware families and the certificates.”
The researchers also studied information obtained from the black market to fingerprint the certs traded and identify when they are used to sign malware in the wild.
The researchers concluded that: “While prior studies have reported the use of code-signing certificates that had been compromised or obtained directly from legitimate Certification Authorities, we observe that… these methods have become secondary to purchasing certificates from underground vendors. Together, these findings suggest that the trade in certificates issued for abuse represents an emerging segment of the underground economy.”
Google recently announced that it is planning to distrust all Symantec SSL certificates due to “repeated security incidents.” The new study suggests that once a malicious publisher has been discovered, all certificates provided by that publisher should be revoked.
The full study can be found here: https://arxiv.org/abs/1803.02931
PDF version: https://arxiv.org/pdf/1803.02931.pdf