The Impact of Malicious Signed Binaries

Certificate authorities have long been used as a trusted means to relay secure access to information via the Internet. Certificate authorities provide digital certificates that deliver information once a binary (application) is signed and validated by the content provider.

This trust model has worked until cybercriminals started obtaining certificates for malicious signed binaries, or malicious applications, which makes attacks much simpler to execute. When a user relies only on a certificate to bridge trust with a service provider, attackers can simply trick them into trusting a malicious application. When attackers are able to trick administrators and users into trusting a malicious program, they can easily evade and circumvent security software.

During the first quarter of 2018, McAfee Labs researchers discovered a total of 664,000 new malicious signed binaries. The total number of malicious signed binaries reached nearly 25 million in early 2018.

Signed malware originates from stolen, purchased, or altered certificates. More specifically, though, this malware is growing with help from suspicious content distribution networks (CDNs). These websites allow developers to either upload programs or URLs that link to external applications, and then discreetly wrap the code in a signed installer. These CDNs offer attackers a channel for distributing their malware and disguise developers’ intentions.

Malicious signed binaries can lead to dire consequences for application users. If these numbers remain on an increasing path, users will no longer be able to rely on certificate authorities. Users will need to rely on the vendor’s reputation who signed the binary, and the ability of the vendor to secure its data. If this is the ultimate result, the certificate authority model risks running obsolete.