Chains of Distrust: Towards Understanding Certificates Used for Signing Malicious Applications

Digital certificates are key component of trust used by many operating systems. Modern operating systems implement a form of digital signature verification for various applications, including kernel driver installation, software execution, etc. Digital signatures rely on digital certificates that authenticate the signature, which then verify the validity of a given signature for a signed binary. Malware attempts to subvert the chain of trust through several techniques to achieve execution, evasion, and persistence. In this paper, we examine a large corpus of malware (3.3 million samples) to extract digital signatures and their corresponding certificates. We examine several characteristics of the digital certificates to study features in the process of malware authorship that will potentially be used for characterizing and classifying malware. We look at many features including the certificate’s chain length, the issue and expiration year, the validity duration of a certificate, the issuing country, validity, top issuing certificate authorities (CAs), and others, highlighting potentially discriminatory features.