Legit digital certificates mask some malware, McAfee warns

McAfee research indicates that a steep rise in the amount of malware signed with legitimate digital certificates—not forged or stolen ones—is a growing threat that raises the question whether there should be some kind of "certificate reputation services" or other method to stop certificate abuse.

Malware signed with legitimate certificates has soared since 2010 when roughly 1.3 percent of a sample set was found signed that way, according to McAfee. This roughly doubled to 2.9 percent in 2011, then rose to 6.6 percent in 2012. Though the rate is slightly lower so far this year, the total amount of certificate abuse continues to grow because the amount of new malware roughly doubles every year.

Sudden, recent emergence

Speaking at the company's annual user conference in Las Vegas last week, David Marcus, director of advanced research and threat intelligence, said McAfee Labs also found that legitimately signed Android malware, almost nonexistent in 2010, grew to be about 7 percent of all Android malware in 2012 and today constitutes 24 percent.

"The certificates aren't actually malicious—they're not forged or stolen, they're abused," said Marcus. This means the attacker has gone out and gotten a legitimate certificate typically from a company associated with a top-root Certificate Authority such as Comodo, Thawte, or VeriSign. The attacker uses this legitimate certificate to sign malware code in order to be able to fool security defenses such as whitelisting or sandboxing, he said.

McAfee sees instances where many hundreds of malware samples were signed with the same certificate while virtually no non-malicious use of the certificate can be found. This all raises the question of whether there should be "reputation services" for certificates so businesses could protect themselves from malware signed in what seems to be a legitimate certificate.

'Abused certificates' assist attacks

Marcus was joined in his presentation by James Wolfe, chief information security engineer, ePO at Lockheed Martin, who said the issue of "abused certificates" used to sign malware has gotten more attention since earlier this year when a number of targeted attacks became publicly known, though the tactic isn't entirely new. He said malware signed with legitimate certificates can be viewed as a kind of "advanced persistent threat" to try and compromise security in organizations.

McAfee has only compiled its data and analyzed it over the last few months, hasn't shared it yet with the certificate authorities or Symantec, and is considering how the bulk of the research data might suggest an actionable way to identify "abused certificates" in order to block malware. "This information gives you the ability to make a decision," Marcus said.

Wolfe said all of this has to be carefully considered since something like signature-based scanning for abused certificates doesn't seem entirely viable. Another issue, said Marcus, is if they had to do it, attackers could always decide to sign every piece of malware they created with a new legitimate certificate. "You can have a certificate per malware," he noted. "But God help us if it gets to that."  

Subscribe to the Security Watch Newsletter

Comments