'Want my autograph?': The use and abuse of digital signatures by malware

Mike Wood Sophos

  download slides (PDF)

Encryption has always been a part of malware, from basic ROT13 string encoding to multi-layered packing algorithms. However, malware authors are rapidly discovering numerous ways to exploit the public key infrastructure (PKI) in addition to their home-grown crypto.

With the many layers that make up the PKI - certificate issuance, verification, revocation and all of the protocols and software that go in between - scammers have a multitude of vulnerabilities at their fingertips to abuse the overall system. For instance, automated vetting for digital certificate purchases makes it a snap to anonymously set up a phishing or rogue e-commerce site that is fully equipped with a certificate trusted by most major browsers. Moreover, malware authors are able to masquerade their trojans as binaries from a legitimate source, using valid or invalid signatures, as most users simply click through the related security warnings. Making matters worse, much of the endpoint software consuming digitally signed content have their own weaknesses, including off-by-default certificate revocation checking mechanisms as well as vulnerabilities in certificate parsing routines.

In addition to abuse, malware authors have also discovered ways to use the PKI for their own benefit, including extortion (e.g. ransomware) and to achieve secure updates.

PKI abuse is a complex and multi-layered threat, which ultimately boils down to effectively managing an individual's trust in something they do not fully understand. This fits in with a broader and growing trend of malware authors investing more, both in terms of time and money, to build up trust in their malicious wares.

This paper captures the spectrum of digital signature use in malware - the abuses, the technical and social challenges, and possible approaches to turn the criminals' investment in their fraudulent reputation into appropriate protection mechanisms.