Antivirus Detection: Code-Signed Malware
This post is inspired by an article from Ars Technica that covered this research report, you can find that here.
Late last week, a group of security researchers from the University of Maryland Institute for Advanced Computer Studies presented findings from their paper Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI.
The most startling finding of the report, for me, is the revelation that the researchers were able to successfully bypass antivirus software detection, using known malware, by code signing the malware with stolen certificates, expired certificates and even by simply copying the signature from a legitimate piece of software. The report states:
“We find that simply copying an Authenticode signature from a legitimate file to a known malware sample may cause anti-virus products to stop detecting it—even though the signature is invalid, as it does not match the file digest.”
In this paper, the researchers examine the software “code-signing” ecosystem, its weaknesses, how it’s abused and more. To perform their analysis, the researchers used samples of malware that are well known as malicious and applied code signing to each of the samples. Each of the samples were executed on Windows computers set up with some of the most popular antivirus programs in order to test how effective antivirus programs would be in detecting the known malware after it had been code signed.
The results weren’t pretty. The following table shows the number of times antivirus programs failed to detect any of the 10 code-signed malware samples.
So, what is code signing any way?
Code signing is a method software publishers use to authenticate the programs they distribute to end-users. Basically, a code-signed program tells the end-user and an end-user’s computer that the program being installed/executed is from a legitimate software publisher.
How does code-signing work?
Code signing and its inner-workings can be complex, but it can be summed up simply. A software publisher requests a code-signing certificate from a certificate authority (CA) that should validate that the company or publisher is a legitimate entity. The certificate itself is digital and comprised of a public and private key (explainer on public key cryptography here). Upon receiving a code-signing certificate, a publisher then “signs” their binary (program) with the private key portion of the certificate, creating a digital signature that can be validated with the certificate’s public key.
How does this research affect you?
Code signing is used heavily in operating systems like Windows (I’m sure you’re familiar with the user access control prompt!), and it’s designed to keep users safe from malicious software. Unfortunately, as this research shows, code signing is imperfect and can be abused for malicious reasons.
When you download software from the internet, there are a lot of things that can go wrong that could result in your computer getting infected with malware. Many of us use antivirus software as a “last line of defense” against malicious actors and malicious software, but when antivirus fails to detect malicious software, users and companies can be in for a world of hurt.
So, what should you take away from this research? For me, it’s being more aware of the software I download, install and execute on my computer. I’ll absolutely be more vigilant in making sure I trust the website from which I’m downloading, checking for signatures on the programs I download, checking the validity of the code-signing certificates used to sign the program, and being extremely cautious when it comes to executing software that has no code signing at all.