Code signing is the practice of cryptographically signing a piece of software so that the operating system and its users can verify that it is safe. Code signing works well, by and large. The majority of the time, only the correct software uses its corresponding cryptographic signature.

Users can download and install safely, and developers protect the reputation of their product. However, hackers and malware distributors are using that exact system to help malicious code slip past antivirus suites and other security programs.

How does code-signed malware and ransomware work?

What Is Code Signed Malware?

When software is code-signed, it means that the software carries an official cryptographic signature. A Certificate Authority (CA) issues the software with a certificate confirming that the software is legitimate and safe to use.

Better still, your operating system takes care of the certificates, code checking, and verification, so you don't have to worry. For instance, Windows uses what is known as a certificate chain. The certificate chain consists of all the certificates needed to ensure the software is legitimate at every step of the way.

"A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice, this includes the end certificate, the certificates of intermediate CAs, and the certificate of a root CA trusted by all parties in the chain. Every intermediate CA in the chain holds a certificate issued by the CA one level above it in the trust hierarchy. The root CA issues a certificate for itself."

When the system works, you can trust software. The CA and code signing system require a huge amount of trust. By extension, malware is malicious, untrustworthy, and should not have access to a Certificate Authority or code signing. Thankfully, in practice, that is how the system works.

Until malware developers and hackers find a way around it, of course.

Hackers Steal Certificates From Certificate Authorities

Your antivirus knows that malware is malicious because it has a negative effect on your system. It triggers warnings, users report problems, and the antivirus can create a malware signature to protect other computers using the same antivirus tool.

However, if the malware developers can sign their malicious code using an official cryptographic signature, none of that will happen. Instead, the code-signed malware will walk through the front door as your antivirus and the operating system rolls out the red carpet.

Trend Micro research found that there is an entire malware market supporting the development and distribution of code-signed malware. Malware operators gain access to valid certificates which they use to sign malicious code. The following table shows the volume of malware using code signing to evade antivirus, as of April 2018.

trend micro code signed malware type table

The Trend Micro research found that around 66 percent of the malware sampled was code-signed. Furthermore, certain malware types come with more code signing instances, such as Trojans, droppers, and ransomware. (Here are seven ways to avoid a ransomware attack!)

Where Do Code Signing Certificates Come From?

Malware distributors and developers have two options regarding officially signed code. Certificates are either stolen from a Certificate Authority (directly, or for resale), or a hacker can attempt to mimic a legitimate organization and fake their requirements.

As you would expect, a Certificate Authority is a tantalizing target for any hacker.

It isn't just hackers fueling the rise in code-signed malware. Allegedly unscrupulous vendors with access to legitimate certificates sell trusted code-signing certificates to malware developers and distributors, too. A team of security researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) discovered four organizations selling [PDF] Microsoft Authenticode certificates to anonymous buyers.

"Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures."

Once a malware developer has a Microsoft Authenticode certificate, they can sign any malware in an attempt to negate Windows security code-signing and certificate-based defense.

In other cases, rather than steal the certificates, a hacker will compromise a software build server. When a new software version releases to the public, it carries a legitimate certificate. But a hacker can also include their malicious code in the process. You can read about a recent example of this type of attack below.

3 Examples of Code-Signed Malware

So, what does code-signed malware look like? Here are three code-signed malware examples:

  1. Stuxnet malware. The malware responsible for destroying the Iranian nuclear program used two stolen certificates to propagate, along with four different zero-day exploits. The certificates were stolen from two separate companies---JMicron and Realtek---that shared a single building. Stuxnet used the stolen certificates to avoid the then newly-introduced Windows requirement that all drivers required verification (driver signing).
  2. Asus server breach. Sometime between June and November 2018, hackers breached an Asus server the company uses to push software updates to users. Researchers at Kaspersky Lab found that around 500,000 Windows machines received the malicious update before anyone realized. Instead of stealing the certificates, the hackers signed their malware with legitimate Asus digital certificates before the software server distributed the system update. Luckily, the malware was highly targeted, hard-coded to search for 600 specific machines.
  3. Flame malware. The Flame modular malware variant targets Middle Eastern countries, using fraudulently signed certificates to avoid detection. (What is modular malware, anyway?) The Flame developers exploited a weak cryptographic algorithm to falsely sign the code signing certificates, making it appear as if Microsoft had signed them off. Unlike Stuxnet which carried a destructive element, Flame is a tool for espionage, seeking out PDFs, AutoCAD files, text files, and other important industrial document types.

How to Avoid Code-Signed Malware

Three different malware variants, three different types of code signing attack.  The good news is that most malware of this type is, at least at the current time, highly targeted.

The flipside is that because of the success rate of such malware variants that use code signing to avoid detection, expect more malware developers to use the technique to make sure their own attacks are successful.

As well as this, protecting against code-signed malware is extremely difficult. Keeping your system and antivirus suite up to date is essential, avoid clicking on unknown links, and double-check where any link is taking you before following it.

Other than updating your antivirus, check our list of how you can avoid malware!