SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    One-Stop Counterfeit Certificate Shops. For All Your Malware-Signing Needs
Date    Sunday February 25 2018, @08:29AM
Author    Fnord666
Topic   
from the broken-strands-in-the-web-of-trust dept.
https://soylentnews.org/article.pl?sid=18/02/24/1831219

Arthur T Knackerbracket has found the following story:

The Stuxnet worm that targeted Iran's nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.

"Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious
campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective," Andrei Barysevich, a researcher at Recorded Future, reported.

Barysevich identified four such sellers of counterfeit certificates since 2011. Two of them remain in business today. The sellers offered a variety of options. In 2014, one provider calling himself C@T advertised certificates that used a Microsoft technology known as Authenticode for signing executable files and programming scripts that can install software. C@T offered code-signing certificates for macOS apps as well. His fee: upwards of $1,000 per certificate.

[...] "Although code signing certificates can be effectively used in widespread malware campaigns such as the distribution of banking trojan or ransomware, the validity of the certificate used to sign a payload would be invalidated fairly quickly," [Barysevich] explained. "Therefore, we believe that the limited number of power-users specializing in more sophisticated and targeted campaigns, such as corporate espionage, is the main driving force behind the new service."

Original Submission

Links
  1. "following story" - https://arstechnica.com/information-technology/2018/02/counterfeit-certificates-sold-online-make-digitally-signed-malware-a-snap/
  2. "fraudulently signed malware was more widespread than previously believed" - https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/
  3. "Authenticode" - https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/everything-you-need-to-know-about-authenticode-code-signing/
  4. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=25015
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, One-Stop Counterfeit Certificate Shops. For All Your Malware-Signing Needs on 2024-04-28 14:37:33