grandeduc - Fotolia

How can enterprises defend against digitally signed malware?

Malicious software using legitimate digital certificates is reportedly on the rise. Expert Nick Lewis explains how to mitigate the risks of digitally signed malware.

Nick Lewis

Digitally signed malware is increasing, according to a new study from Kaspersky Lab. Are there any ways to detect and/or mitigate the risk of malicious files using legitimate digital certificates?

One of the most important steps of using software signed with digital certificates is checking to see if the signing certificate has been revoked. If any signing certificate -- especially a software signing certificate -- has been compromised, it should be immediately revoked.

It may also be in the software developer's best interest to be transparent; notify customers that the software signing certificate was revoked and explain how security was improved so this won't happen again. Customers that check certificate revocations may notice the certificate is revoked and then ask what happened, so preempting this confusion can demonstrate how committed a software developer is to security.

On the other hand, if the software developer hasn't identified a compromised certificate when notified by a customer, it should investigate immediately and revoke the certificate.

The threat of digitally signed malware is certainly extending to the enterprise. New research from Kaspersky Labs found digitally signed malware is a growing exponentially -- and enterprises had best be prepared for it.

Potentially the most effective step to mitigating the risk of digitally signed malware is to only allow approved executables to run on endpoint systems; this can be accomplished by whitelisting the approved executables. This would require significantly more effort for attackers to successfully compromise endpoints with signed malware.

Other steps enterprises can take include checking if software is signed by a certificate from a well-known and trusted authority, or even signed by an approved certificate authority. Enterprises may also want to inventory all files on a system and check each signed file to see who signed it to ensure it would meet the signing requirements for new files.

At a minimum, enterprises should enable endpoints to check for revocation for signed software.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Take a closer look at digital security certificate problems and how to mitigate them

Find out why fake SSL certificates enable variety of security threats

This was last published in October 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PKI (public key infrastructure) A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party.

How is Plead malware used for cyberespionage attacks? Cyberespionage hackers have used stolen digital certificates to steal data. Expert Michael Cobb explains how hackers sign Plead malware to conduct these attacks.

Stolen digital certificates used in Plead malware spread Researchers found the spread of Plead malware was aided by the use of stolen digital certificates, making the software appear legitimate and hiding the true nature of the attacks.

Certificate revocation list error strands sites signed by GlobalSign Attempting to tidy its root certificates, a mis-issued GlobalSign certificate revocation list left website owners scrambling to address cert errors, restore safe browsing icons.

Certificate Revocation List (CRL) A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority and should not be trusted. Web browsers use CRLs to determine whether a website's digital certificate is still valid and trustworthy.

Should enterprises use the Let's Encrypt open certificate authority? Let's Encrypt, a new open certificate authority, is coming soon. Expert Michael Cobb explores the merits of using free and open CAs and whether or not enterprises should explore them.

Nick Lewis asks:

How big of a threat is digitally signed malware?

Join the Discussion

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Join the conversation

2 comments

Send me notifications when other members comment.

Oldest

[-]

searchsecurity - 2 Oct 2015 5:29 AM

How big of a threat is digitally signed malware?

ToddN2000 - 26 Feb 2016 1:23 PM

Thanks for the heads up on another issue I can lose sleep over. People today are getting creative on their exploits. I'm afraid we will never keep pace with them.

How can enterprises defend against digitally signed malware?