Skip to main content
banner image
venafi logo

Study Shows Widespread Abuse of Code Signing Certificates

Study Shows Widespread Abuse of Code Signing Certificates

code-signing-abuse
August 4, 2022 | Larry Seltzer

A study by VirusTotal, a public malware-scanning service owned by Chronicle, the security services arm of Google Cloud, has released a study that shows the extent to which abuse of code signing certificates has become a standard technique in malware.

The highlights of the study – Deception a At Scale: How Malware Abuses Trust – include:

  • Since 2021, VirusTotal has found more than 1 million signed malicious malware samples. In 87% of the samples, the certificate used to sign them was valid when VirusTotal received the sample.
  • 4000 samples either executed or were packed with legitimate app installers.
  • Many of the most popular domains have distributed “suspicious samples,” including 10% of the Alexa Top 1000.

Some legitimate sites distributing malware are service providers, such as amazonws.com, squarespace.com, baidu.com, and archive.org. The users distributing malware are violating terms of service. Even so, many users will accept a properly signed program from a legitimate site as a matter of course.

Malware increasingly mimicking legitimate software

Malware has increasingly been mimicking legitimate software, with Skype, Adobe Acrobat, and VLC the most common. VirusTotal detects this partly by looking for embedded icons identical to legitimate ones. There was a burst of such malware in January and February of 2022.

The most-mimicked applications in the study were:

  • Skype 28%
  • Adobe Acrobat 18.2%
  • VLC 17.6%
  • 7zip 11.5%
  • Team Viewer 7.5%
  • CCleaner 5.6%
  • Microsoft Edge 2.5%
  • Steam (Valve) 2.3%
  • Zoom 1.8%
  • Whatsapp 0.8%
Certificate consumers defenseless against malware signed with legit certifcates

Using a similar technique, VirusTotal also looked at fake versions of legitimate web sites by comparing the favicon used on the site. A favicon is an icon associated with a web site. Some web browsers, including Safari, show them in the address bar along with the address. Chrome shows them in the Bookmarks Bar and menu. You’ll also find them on tabs and elsewhere. The three most-mimicked web sites found in this way were WhatsApp (23%), Instagram (22.5%), and Facebook (13%), with a big drop-off after that.

There was a time when conventional wisdom said that an executable was trustworthy when it was code-signed. Then it became clear that you needed to determine what entity was signing it. This remains best practice, but it’s not always enough. Certificate consumers are generally defenseless against malware signed with legit certificates from well-known entities.

There have been many cases where attackers have stolen the code signing certificates of legitimate software companies or hijacked their development facilities to sign malware. See Adobe, JMicron and Realtek (as part of the Stuxnet attack), SolarWinds, and Nvidia.

But if the certificates were still valid for 87% of the signed samples, they were invalid for 13%. This underscores the importance of revocation checking in all cases where you check if a certificate was signed.

“One of the most effective social engineering techniques consists of hiding malware by packaging it into installation packages with legitimate software. This becomes a supply chain attack when attackers get access to the official distribution server, source code, or certificates.

--Deception at a scale, VirusTotal, August 2, 2022

Dirty secret of code signing

The study also shows the importance of vigorous malware scanning – probably with more than one antivirus engine – of all executables before they are installed anywhere. This, too, will root out many malicious samples. In some cases, you may want to scan executables using VirusTotal, which “inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content.” Incorporating this as a standard practice may be difficult.

There’s also a dirty secret of code signing: if the signature passes the check and the application is installed, that’s the end of code signing’s usefulness. There is no process for notifying users who installed an application that the code signing cert for it was revoked. 

The main call to action is to remind everyone who signs code of the importance of storing keys in HSMs where they will be well-protected. Protection of the build systems is every bit as important.

Related Posts

Like this blog? We think you will love this.
difference-between-public-and-private-keys
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Larry Seltzer
Larry Seltzer

Larry Seltzer, Technical Content Writer, Venafi

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more