Malware: certified trustworthy - Update
According to anti-virus vendor F-Secure, the number of digitally signed malware samples for Windows is increasing - and more and more scareware programs also include a valid digital signature. Virus authors use this method to overcome various hurdles on Windows systems and suppress alerts such as those triggered when a program attempts to install an ActiveX control in Internet Explorer, or before installing a driver. F-Secure's list of potentially undesirable programs contains almost 400,000 digitally signed samples. In terms of malware, the list still includes almost 24,000 samples.
Authenticode is used for signing and checking software under Windows and is meant to verify the origin of software. Users tend to trust digitally signed software. Software without a digital signature triggers a dialogue that explicitly asks the user for confirmation before proceeding with the installation. In the 64-bit versions of Windows 7 and Vista, installing an unsigned driver isn't possible at all, even if a user were to wave it through.
F-Secure say that virus authors successfully use various tricks to obtain valid digital signatures or certificates for their programs. The most reliable method is to trick a Certificate Authority into issuing a code signing certificate. It seems that this has become just as easy as obtaining a valid SSL server certificate – a valid email address is sufficient. Internet frauds and criminals also use such services as Digital River, which sign software for their customers.
Virus authors can also misuse stolen certificates or private keys to sign their own software. Various versions of the Adrenalin, Ursnif and ZeuS families of botnets are said to contain functions for reading the relevant data from developers' infected PCs. However, so far F-Secure has not found any malware that actually uses a stolen key in its malware database.
What does seem to happen more and more often is that a trojan infects files on a developer's system, and that the developer's entire software package including the trojan is subsequently signed and deployed. Very often, virus programmers also sign their samples with keys and certificates they have signed themselves, using bogus information about the issuer or owner to mislead programs and users.
F-secure estimates that the problem has, so far, not reached critical proportions because virus authors have not yet begun to exploit this method on a large scale. However, this could change with the widespread dissemination of Windows 7, because this version relies even more heavily on Authenticode than previous versions of Windows. In this case, anti-virus vendors will need to work in close cooperation with the Certificate Authorities to ensure that compromised and misused certificates (and keys) can be blocked as quickly as possible.
Update: According to a post on the blog of anti-virus vendor Sophos, the Troj/BHO-QP Browser Helper Object (BHO) malware, which disguises itself as a Flash Player extension from Microsoft, is using a fake VeriSign root certificate. Because the root certificate is provided by the malware looks genuine, no warning is displayed on a users system. The only way to confirm that it is indeed a rogue certificate is to make sure that the certificate fingerprints match.