Fake certificates for sale
Security academics warn that a key component in the fight against malware has been compromised
CODE-SIGNING CERTIFICATES
tell security features within browsers and Microsoft’s Defender SmartScreen whether to allow files or apps onto a device – theoretically showing that the code comes from a trusted, legitimate source.
In recent years there has been a problem with malware creators compromising certificates from legitimate companies. Windows 10’s SmartScreen was developed purely to thwart rudimentary fake certificates.
But, according to new research, there’s an emerging market where criminals sell complex certificates in a form that will bypass these increased security checks. According to researchers from the University of Maryland and Masaryk University in the Czech Republic, basic bogus certificates from authorities such as Comodo can be bought from stores for just $350.
These might fool some systems, but there’s a sliding scale of trust, with SmartScreen requiring a certificate and a high reputation score to let code run unchecked. “This provides a
challenge for malware developers,” the researchers explained in their Issued for Abuse: Measuring the Underground Trade in Code Signing
Certificate report. “Even when they manage to obtain a valid signature, if they want to go unnoticed they need to build a reputation for the certificate first by signing benign programs and installing them on many client machines.”
However, the researchers say malware writers can pay $7,000 to black market sellers who build a reputation for their certificates by acting like proper software companies before putting them up for sale. “If the application has a track record and is deemed benign, then the application launches without any warnings,” the researchers said.
According to the report, the cause of the problem could be malware producers setting up shell companies who apply legitimately for certificates, but later use them to peddle malware. The researchers called on certificate authorities to improve vetting of new clients.