A new analysis highlights the prevalence of malware signed by certificate authorities and the problems with trust-based security.
Researchers with Chronicle, the cybersecurity company and Alphabet subsidiary, today published an analysis of its investigation into the trend of signed malware being exploited in the wild.
The process of cryptographically signing code was created to give the Windows operating system a means to distinguish good code from bad. Certificates are signed/issued by trusted certificate authorities (CAs), backed by a trusted parent CA. The purpose behind signing a Windows executable file was to mark the authenticity of code published on the Internet.
The problem is, this system is based on trust, and cybercriminals are taking advantage of it.
Malware authors buy these certificates, directly or through resellers. While a CA can revoke a certificate deemed untrustworthy — and more of them are — this remains the only way to cut down on abuse. The process creates a window during which malware has a trusted certificate.