Signing code is a legitimate technique that developers have been using for a long time. To do this, they use a digital certificate, issued by a trusted certifying entity, so that both the user and the antivirus and operating systems can know that this code is genuine and has not been modified.
Initially, only developers authenticated by the CA can sign their code with their own digital certificate. And, by using advanced cryptographic techniques, these certificates cannot be spoofed or cloned. However, hackers have found a way to do it.
How malware is signed with an original certificate
In general, to certify that a developer is legitimate and really belongs to a company, the certification authority has quite high requirements. However, hackers can falsify these requirements to impersonate a legitimate organization and get the certificate to sign their pieces of malware. It is also possible that hackers hack a company and steal its certificate. If this is valid, it has a very high price on the black market.
Once hackers have their code signed, Windows and antivirus security measures are almost always defeated. When we run it, the system trusts this code by default and, in the end, it ends up infecting the system without anything or anyone being able to do anything about it.
Two malware that have made use of this technique are:
- Stuxnet: This malware used two digital certificates from JMicron and Realtek to hide as a driver and even attack (and destroy, computer-wise) a nuclear power plant.
- Flame: this spyware took advantage of a cryptographic flaw to create its own certificates. His goal was to spy on documents, not to do harm.
Furthermore, in 2018, a group of hackers even managed to distribute an update for ASUS computers using a digital certificate and infecting half a million machines with malware in a matter of seconds. Luckily, it was a targeted attack that sought to infect 600 very specific computers, and the impact, in the end, was very small.
How do I protect myself from these threats?
Although this is a very dangerous technique (for users, especially), luckily it is not widely used. Obtaining a valid certificate is increasingly complicated, since companies are increasingly better protected, and more expensive, since the few that exist are highly valued on the black markets. Furthermore, the validity of a certificate, once it is used to sign a threat, is very limited. Therefore, only very specific malware, used for very specific purposes, is the one that makes use of this technique.
To protect ourselves we must carry out the usual practices. And the most important thing is that, in addition to common sense, we make sure keep Windows and antivirus always up to date. This way we can have a blacklist with the certificates that have been compromised and, if a malware signed with them reaches our PC, it will not be able to infect us.