Malware creators are abusing the code-signing process associated with public key infrastructure (PKI), and their actions are a considerable threat to internet authentication systems.

At the recent ACM Conference on Computer and Communications Security in Dallas, security researchers from the University of Maryland highlighted potential problems in the code-signing approach used in PKI. These flaws affect some products created by antivirus firms and could create significant issues for businesses that rely on PKI for authentication.

The Problem With Public Key Infrastructure

The researchers analyzed more than 150,000 malware samples from a 2014 data set and discovered 325 samples that either held a valid, revoked or malformed certificate. In the report, they noted that digitally signed malware can sidestep the protection mechanisms that ensure programs are only launched when they have valid signatures. Such malware can also dodge sophisticated antivirus technologies.

They concluded that exploitation focuses on three kinds of flaws in the code-signing PKI: publisher-side key mishandling, insufficient client-side safeguards of certificates and certificate authority-side confirmation breakdowns.

When it comes to publisher-side issues, they discovered 72 compromised certificates within 325 malware samples. Five of the eight publishers who were subsequently contacted about the issues were unaware of the problematic certification and potential exploitation.

Worse still, two-thirds of malware samples signed with these 72 compromised certificates are still effective, according to the report. In these instances, the signature check does not produce any errors and could provide a means for threat actors to bypass system protection measures.

In fact, malware creators might not even require the power of a code-signing certificate. The paper noted that flaw in 34 antivirus products allowed fraudsters to copy signatures from a legitimate file to a known malware sample without being detected.

The researchers disclosed the problem to antivirus companies, two of which confirmed that their products failed to check the signature properly. One vendor announced plans to fix the issue.

PKI Problems Getting Progressively Worse

Doowon Kim, one of the researchers involved in the project, told Threatpost that problems with code signing are systemic and PKI abuses are becoming progressively worse. He noted that 80 percent of exploited certificates are still a threat six years after being originally used to sign malware.

The Cyber Security Research Institute recently discovered that threat actors can purchase code-signing certificates on the Dark Web for $1,200, Beta News reported. Peter Warren, chairman of CSRI, said that the criminal market for certificates casts doubt over the entire authentication system for the internet.

With the threat level rising and compromised certificates readily available to fraudsters, these code-signing concerns pose a serious threat to businesses that rely on public key infrastructure.

More from

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…