pixel_dreams - Fotolia
Files signed with a digital certificate are often assumed to be secure by Web browsers and antivirus scanners, but according to Kaspersky Lab Inc., digital certificates are increasingly being used by attackers to slip malware into enterprises.
In new research released this week, Andrey Ladikov, head of strategic research at Kaspersky Lab, said that the number of legitimately obtained certificates embedded in malware has risen steadily every year since 2008, escalating from 1,500 known cases of digitally signed malware to more than 6,000 in 2014.
Protecting a company's digital certificates
Ladikov said that the mathematical methods used to sign a file are still reliable and hard to compromise, but detailed the various ways cybercriminals obtain valid digital certificates and apply them to malware.
Ladikov described a vulnerability Kaspersky has observed that allows for the size of a digital certificate to be changed. This would often be used for legal purposes, so developers can change the location of a software download without updating the installer. Systems won't perform a security check of this extra space, and will only verify the digital signature, Ladikov described, so an attacker can hijack this extra space with a link to download and install malware on a user's machine.
Ladikov said that some certificate authorities (CAs) don't vet companies or individuals looking to purchase digital certificates, which is an opportunity attackers look to exploit. He said that the past few years have seen a rapid increase in the number of individual developers purchasing certificates. CAs seek to validate the identity of a purchaser, but often ask for nothing more than a bank card for an individual or registration info for a company, Ladikov said, meaning cybercriminals can either trick the CA into selling them digital certificates, or untrustworthy CAs can hand out certificates to anyone.
There are other methods to seed malware with legitimate certificates, but they are more difficult to accomplish, according to Ladikov, like planting malicious code when a file is being compiled or stealing a private key. Though neither method is impossible, as most notably proven in 2011 when F-Secure Corp. found a stolen key from the Malaysian government attached to malware. However, these methods are challenging for attackers to pull off because organizations often have strong security controls on machines used to build software, and keep private keys in dedicated, well-protected hardware modules.
Mitigating the malware threat
In terms of protecting an organization from these types of attack, Ladikov said that dedicated hardware modules are needed to secure its own certificates from compromise, but he noted that certificates are most likely to be stolen through the use of specialized malware. Because of this, Ladikov advises companies to also consider implementing specific security controls -- antivirus, firewall, and intrusion detection and prevention -- on any system that stores certificates.
To mitigate the risk of malware using a valid digital certificate from third parties Ladikov said, enterprsies should consider a complete ban on running programs that are not approved by a security administrator.
"However, in a corporate environment," Ladikov added, "it is crucial to find a balance between protection of the system and its flexibility."
To strike that balance, Ladikov suggested only allowing software from reputable manufacturers, because smaller companies are more likely to have keys stolen.
He also advised activating Microsoft security update MS13-098, which fixes the vulnerability allowing malware to be downloaded via additional data in a signed file; not allowing certificates from unknown CAs; and using a trusted certificates database to get updates of certificates used to sign malware.
Learn more about digital certificates and e-signatures