Malicious Signed Binaries Crush Certificate Authority Reputation

March 24, 2014

Certificate authorities (CAs) have long been used as a trusted means to relay secure access to information via the Internet. CAs provide digital certificates that deliver the information once an application, or binary, is signed and validated by the service provider that owns the content in question. This trust model has worked until cybercriminals started obtaining certificates for malicious signed binaries, or malicious applications, which makes attacks much simpler to execute. When a user relies only on a certificate to bridge trust with a service provider, attackers can simply trick them into trusting a malicious application. When attackers are able to trick administrators and users into trusting a malicious program, they can easily evade and circumvent security software.

New Malicious Signed Binaries

During the last quarter of 2013, McAfee Labs researchers discovered that malicious signed binaries have skyrocketed, reaching unprecedented numbers in more complex and advanced methods than previously recorded. During the fourth quarter of 2013, researchers found more than 2.3 million new malicious signed binaries — a 52% increase from just the third quarter. Throughout all of 2013, nearly 5.7 million new malicious signed binaries were discovered, which was more than triple the amount found in 2012.

This jump in malicious signed binaries can lead to dire consequences for application users. If these numbers remain on an increasing path, users will no longer be able to rely on certificate authorities. Users will need to rely on the vendor’s reputation who signed the binary, and the ability of the vendor to secure its data. If this is the ultimate result, the certificate authority model risks running obsolete.

Content Distribution Networks

Signed malware as a whole originates from stolen, purchased, or altered certificates. More specifically, though, this malware is growing at a faster rate with help from suspicious content distribution networks (CDNs). These websites allow developers to either upload programs or URLs that link to external applications, and then discreetly wrap the code in a signed installer. These CDNs offer attackers a channel for distributing their malware and disguise developers’ intentions.

Additionally, researchers were able to trace some of the malicious signed binaries back to a group of the most used CDNs. While narrowing down the list is important, it does not completely solve the problem since there are many other certificates linked to other CDNs. However, recognizing the pattern by malicious developers explains the recent and rapid growth of signed malware.

Top Certificate Subjects on Malicious Signed Binaries

The list below shows the top certificate signers that were associated with malicious signed binaries in 2013 and their percentage of all malicious signed binaries:

  • Firseria SL — 14%
  • AND LLC — 8%
  • Tuguu SL — 6%
  • Payments Interactive SL — 6%
  • Corleon Group Ltd. — 4%