Hackers Increasingly Abusing Authenticode Method

Anti-virus vendor F-Secure has observed an increase in the number of digitally signed samples of malware. It said that increasing number of scareware are also including an authentic digital signature.

A digitally signed software means that it is confirmed to be a legitimate software and that its origin is verified. The software authenticating method, called authenticode, recognizes the signed software's publisher and confirms that it has remained safe from tampering before its installation by users onto their computers. Consequently, authenticode enables users to make a better decision about downloading a software.

Reportedly, malware authors are employing different tricks to get valid digital sign or certificates for their malicious software. This way they are successfully overcoming the hurdles on the Windows systems and stopping the alerts like those popping up at the time a software tries to install ActiveX control on Internet Explorer, or prior to downloading a driver.

This was found during the research done by F-Secure's senior anti-virus researcher, Jarno Niemela and was initially revealed in the CARO 2010 Technical Workshop held in Helsinki (Finland) in May 2010.

As per the Niemela's research, the security firm detected several unwanted software tagged as digitally signed. These included toolbars, dialers, spyware, adware and several others (nearly 384935 files).

The cyber crooks are exploiting authenticode in numerous ways, which include self-signed certificates with bogus name, copying certificate information from legitimate files, finding someone for signing their malicious stuff, getting certified and being evil, stealing a certificate, etc.

According to F-Secure, the problem is still below the critical levels as virus authors are still not using this method on a massive scale. Though, this trend could soon change with the increasing spread of Windows 7, owing to the heavy dependence of this version on authenticode as compared to its predecessors.

In such a scenario, anti-virus firms will need to collaborate with the Certificate Authorities in order to make sure that misused and fake certificates can be blocked at the earliest.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 7/9/2010