Issued for Abuse: Measuring the Underground Trade in Code Signing Certificate
نویسندگان
چکیده
Recent measurements of the Windows code-signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures. However, the underground trade that allows miscreants to acquire such certificates is not well understood. In this paper, we illuminate two aspects of this trade. First, we investigate 4 leading vendors of Authenticode certificates, we document how they conduct business, and we estimate their market share. Second, we collect a data set of recently signed malware and we use it to study the relationships among malware developers, malware families and the certificates. We also use information from the black market to fingerprint the certificates traded and to identify when the are likely used to sign malware in the wild. Using these methods, we document a shift in the methods that malware authors employ to obtain valid digital signatures. While prior studies have reported the use of code-signing certificates that had been compromised or obtained directly from legitimate Certification Authorities, we observe that, in 2017, these methods have become secondary to purchasing certificates from underground vendors. We also find that the need to bypass platform protections such as Microsoft Defender SmartScreen plays a growing role in driving the demand for Authenticode certificates. Together, these findings suggest that the trade in certificates issued for abuse represents an emerging segment of the underground economy.
منابع مشابه
The Initium X.509 Certificate Wizard
This paper describes the use of the Thawte’s “Web of Trust” X.509 certificates for signing and distributing executable Jar resources. A keytool wizard (called the Initium X.509 Certificate Wizard) was developed in order to help with the importation and management of certificates. A signed Jar file generally indicates that the signer authorizes the contents. Signing is accomplished using a certi...
متن کاملMeasuring the Latency and Pervasiveness of TLS Certificate Revocation
Today, Transport-Layer Security (TLS) is the bedrock of Internet security for the web and web-derived applications. TLS depends on the X.509 Public Key Infrastructure (PKI) to authenticate endpoint identity. An essential part of a PKI is the ability to quickly revoke certificates, for example, after a key compromise. Today the Online Certificate Status Protocol (OCSP) is the most common way to ...
متن کاملAn Extended Public Key Infrastructure Framework For Host-Based Information Security Management
Web software that is designed and deployed to collect end-user information and transmit it to a remote server destination is proliferating. This overall software paradigm spans many scenarios – from fully legitimate software updating and remote management, to profiling user surfing habits (i.e. adware), to illicitly collecting personal user-information (i.e. spyware). The research within this p...
متن کاملOutsourcing digital signatures: a solution to key management burden
Digital signatures are only enjoying a gradual and reluctant acceptance, despite the long existence of the relevant legal and technical frameworks. One of the major drawbacks of client-generated digital signatures is the requirement for effective and secure management of the signing keys and the complexity of the cryptographic operations that must be performed by the signer. Outsourcing digital...
متن کاملBaton: Key Agility for Android without a Centralized Certificate Infrastructure
Android’s trust-on-first-use application signing model associates developers with a fixed signing key, but lacks a mechanism to transparently update the key or renew their signing certificate. As an advantage, this feature allows application updates to be recognized as authorized by a party with access to the original signing key. Changing keys or certificates requires that end-users manually u...
متن کامل