Trusted code signing abuse by malware and their exploitation of the CA verification process (sponsor presentation)

Wednesday 5 October 17:00 - 17:30, Green room

Geoff McDonald (Microsoft)
Duc Nguyen (Microsoft)

Trusted certificates play an important role for security and trust in computing. Certificate Authorities (CAs) verify the identity of individuals and organizations, and issue them certificates that can be used to prove their identity and validate the content for applications such as secure websites (TLS) or in code-signing of executables or installer packages. These certificates are a great way to build user trust and they effect a lot of user experiences – such as how warning dialogs are presented to the user when a file is downloaded from the web. Similarly, code-signing can affect the underlying decision process from AV vendors as to whether a file is clean or malicious. Although generally a tool for good, certificates issued by CAs are in some cases stolen, or issued directly to the malware attackers. In this presentation we will be presenting a trend where we are seeing a rise in malware actors repeatedly being issued digital certificates directly from the CAs.

During the presentation we will start with a simple background to digital certificates and their corresponding CAs. We will then present two recent malware cases (Trojan:Win32/Kovter and TrojanClicker:Win32/NightClick) where the malware authors are repeatedly being directly issued trusted certificates and how they are abusing these certificates. Looking at the root of the problem, we will then look at how the identity validation process works in CAs and how we believe these malware attackers are subverting the verification process to receive their own certificates. Finally, we will discuss and brainstorm on the future of code-signing and its role in the AV industry.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.