Signing a Windows executable file was originally conceived as a mechanism to guarantee the authenticity and integrity of a file published on the internet. Since its inception, the process of cryptographically signing a piece of code was designed to give the Operating System a way to discriminate between legitimate and potentially malicious software. Unfortunately, this system is built on a problematic core tenet: Trust. The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers. Whether purchased directly or indirectly, due diligence into customers appears to be lacking. Revoking a certificate, the process by which a CA says the certificate is no longer trustworthy, is unfortunately the only real tool available to combat certificate abuse. This process introduces a delay in which malware with a certificate may be considered “trusted”.
Abusing Code Signing for Profit
