grandeduc - Fotolia

How can enterprises defend against digitally signed malware?

Malicious software using legitimate digital certificates is reportedly on the rise. Expert Nick Lewis explains how to mitigate the risks of digitally signed malware.

Nick Lewis

Digitally signed malware is increasing, according to a new study from Kaspersky Lab. Are there any ways to detect and/or mitigate the risk of malicious files using legitimate digital certificates?

One of the most important steps of using software signed with digital certificates is checking to see if the signing certificate has been revoked. If any signing certificate -- especially a software signing certificate -- has been compromised, it should be immediately revoked.

It may also be in the software developer's best interest to be transparent; notify customers that the software signing certificate was revoked and explain how security was improved so this won't happen again. Customers that check certificate revocations may notice the certificate is revoked and then ask what happened, so preempting this confusion can demonstrate how committed a software developer is to security.

On the other hand, if the software developer hasn't identified a compromised certificate when notified by a customer, it should investigate immediately and revoke the certificate.

The threat of digitally signed malware is certainly extending to the enterprise. New research from Kaspersky Labs found digitally signed malware is a growing exponentially -- and enterprises had best be prepared for it.

Potentially the most effective step to mitigating the risk of digitally signed malware is to only allow approved executables to run on endpoint systems; this can be accomplished by whitelisting the approved executables. This would require significantly more effort for attackers to successfully compromise endpoints with signed malware.

Other steps enterprises can take include checking if software is signed by a certificate from a well-known and trusted authority, or even signed by an approved certificate authority. Enterprises may also want to inventory all files on a system and check each signed file to see who signed it to ensure it would meet the signing requirements for new files.

At a minimum, enterprises should enable endpoints to check for revocation for signed software.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Take a closer look at digital security certificate problems and how to mitigate them

Find out why fake SSL certificates enable variety of security threats

This was last published in October 2015

How can enterprises defend against digitally signed malware?

Malicious software using legitimate digital certificates is reportedly on the rise. Expert Nick Lewis explains how to mitigate the risks of digitally signed malware.

Next Steps

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

certificate revocation list (CRL)

The evolution of the Let's Encrypt certificate authority

How is Plead malware used for cyberespionage attacks?

Stolen digital certificates used in Plead malware spread

Related Q&A from Nick Lewis

What are port scan attacks and how can they be prevented?

Explore benefits and challenges of cloud penetration testing

What are the best criteria to use to evaluate cloud service providers?