Can we trust a trustee? An in-depth look into the digitally signed malware industry

Thursday 25 September 14:00 - 14:30, Red room.

Adrian Stefan Popescu Bitdefender
Gheorghe Jescu Bitdefender

  download slides (PDF)

Over the last couple of years, the Windows system has implemented a growing number of user notifications before a file is executed, starting from messages confirming the execution of downloaded applications to alerts for files that are not digitally signed. An increasing number of developers are using certificates issued by Certificate Authorities (CA) to create a more trustworthy environment for users. Although certificates should be used by legitimate developers only, a large number of malware files are digitally signed with trusted certificates. This evasion technique is successful, not only against the operating system, but also against security vendors that are creating additional filters for trustworthy files.

This paper presents an analysis of different methods for using a certificate to digitally sign malware files, using either a stolen certificate originally issued to a trusted IT company, or certificates that are issued for certain developers who use them with malicious intent. In the context of issuing certificates by a trusted CA, we wonder if there is a possibility that a potentially unwanted behaviour was intended from the beginning. Finally, this paper tries to raise awareness about possible selection issues at the CA level. Has an in-depth analysis been completed on the companies that request certificates or the files that will be signed? What should happen when a certificate is explicitly revoked for malicious behaviour?

Click here for more details about the conference.

Adrian Stefan Popescu Adrian Popescu joined Bitdefender in 2008 as an anti-malware researcher when he was only in his first year of Bachelor studies in computer science at Alexandru Ioan Cuza University in Iasi. He received a Bachelor of Science degree in 2010, his Master of Science degree from the same university in 2012, and is now a Ph.D. Student at the same university. Today, he is a technical leader at Bitdefender. His main research concerns are in the field of machine learning and data mining applied to malware detection and web threats.

Gheorghe Jescu Gheorge Jescu was born in May 1985 in Vaslui, Romania. In July 2009, he graduated from the Faculty of Automatic Control and Computer Engineering of Iasi. Since January 2010 he has been working for Bitdefender as an anti-malware researcher. His hobbies are basketball, reading and travelling.