Two recent examples of malware utilizing digital signatures belonging to legitimate companies have put a spotlight on the question of what to do about it.
Researchers at Trend Micro recently found a variant of the Zeus Trojan that used a certificate belonging to Kaspersky Lab’s ZbotKiller product, which ironically is designed to destroy Zeus. Though the certificate was expired, the idea was for the malware to use it to look legitimate.
Unlike in the case of the Stuxnet malware, which installs drivers digitally signed by RealTek Semiconductor and JMicron Technology, the authors of the Zeus variant did not actually steal the certificate and sign files with it. Instead, they simply cut and pasted the signature from another file, explained Roel Schouwenberg, senior antivirus researcher with Kaspersky.
“The new variant of Zeus simply contains a signature which was copy-pasted from another file,” Schouwenberg said. “This doesn’t produce a valid signature nor does it involve a breach of our certificate integrity, unlike the case with Stuxnet versus RealTek and JMicron.”
According to Schouwenberg, the problem can partly be addressed by Microsoft.
“Whenever you’re trying to install new software which is signed, Windows asks you, Do you trust Publisher X? That gives the user a clear indication where the software is coming from,” he explained. “So that happens when the signature is valid. However, when the digital signature isn’t valid Windows simply treats the file as an unsigned file … If Windows would simply alert the user that the certificate was invalid and the file should not be run we would be a lot better off.”
The RealTek certificate used to sign the Stuxnet drivers expired in June; the JMicron certificate expires in July of 2012. Since Stuxnet is now believed to have been out for more than a year, it’s possible such a warning wouldn’t have helped many users infected by the worm. However, it could help address the problem of malware writers copying certificates-something that has been done for years now, Schouwenberg said.
Microsoft said it has been in contact with Kaspersky and is evaluating the incident. However, Gartner analyst John Pescatore noted the problem is bigger than the operating system.
“It isn’t just Windows, it is pretty much every browser, every OS,” Pescatore said. “If a certificate is expired or invalid, some popup is shown to the user. But since legitimate software vendors often fail to renew certificates on time, users get trained to just click thru the popups, and the use of the certificate becomes meaningless-it is like the FBI warning at the start of every DVD movie.
“Now, it would be a good thing for the [Certificate Authority/Browser Forum] to come up with some agreed upon standards for how to handle different issues-an expired cert warning should be very different than a warning for a cert where the signature is invalid, etc,” he continued. “And they need to do a lot of education [of] users to make the difference clear.”
While Stuxnet provides a high-profile example, an attack where digital certificates are actually stolen is quite rare, said Ben Greenbaum, senior research manager for Symantec Security Response.
“It involves getting inside an organization and stealing their private PGP key that is used for actually signing files,” Greenbaum said.
Stuxnet’s success in utilizing a stolen certificate does not make the certificates themselves irrelevant, he added.
“Maintaining secure control over private signing certificates has always been the key to the proper operation of application signing, and given the rarity of threats that utilize stolen certificates, I think that in general organizations do a pretty good job of this,” he said. “It might be easier to think of it in this way: If one person loses a key to their house or has it stolen, that doesn’t mean all door locks have all of a sudden become useless or irrelevant.”
