If a file is signed does that mean it is clean?

Some malware authors are always in the hunt to find new ways to deliver their deadly payloads. One of them is to use fake certificates or even pretending to have legitimate ones in order to fool security apparatus. Here is an interesting lecture given by one of F-Secure employees.

http://www.f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf

What do you think guys?

Thanks.

 

I don't think it matters much, considering I rarely come across legit software that is signed by a "known vendor" or signed period. My UAC is always complaining about that, and most of the time the software is from very well known vendors.

 

Actually it does matter greatly for the simple fact that a lot of security software companies use the file signature approach to authenticate good files from malware.

Thanks.

 

Thats also a question i have been wondering about also, So i would assume because this file has these it couldn`t of been tampered Eg:Virus otherwise it would verify ??

 

Malware can be digitally signed.
A recent popular example of malware being signed is the recent Stuxnet rootkit/trojans - http://www.securelist.com/en/blog/2236/Stuxnet_signed_certificates_frequently_asked_questions

I have also previously seen malware signed by Microsoft.

 

Thats scary indeed

 

Not scary at all. The occurrences of these (so far) has been relatively small. Also, most people do not look at a digital signature anyway, just click away. If one is going to do that, then they're at higher risk anyway and a signature wont stop them from doing so.

The main trouble is for security solutions to identify them, as they tend to restrict digitally signed applications less due to the much higher probability of them being clean.

 

Good thread, thanks for starting it.

The answer to your question is implied in the OP.

NO a digital signature on it's own does not mean that the file is clean. They can be faked.

Not only that but one clean file from a vendor does NOT mean that all files from that vendor are clean.

We need our AV's and suites to do this checking properly, file by file and not rely on signatures alone. I have always felt that a "white" list of clean files was the way to go.

Buyer beware again!

 

I disagree with you, to me it is very scary and it was the bottom line of the F-secure article. What is needed is new approach within the computer security industry to combat such threat. One of the possible suggestions by F-secure was for computer security companies to build an infrastructure to that would allow information sharing.

In the meantime I think that Symantec and TrendMicro are quite right in promoting their file reputation analysis in order to prevent digitally signed malware from infecting computers.

Thanks.

 

I agree with you. Once again Buyer Beware. Or Downloader Beware .

Thanks.

 

I Fully Agree. Hope more av companys follow that path,
I think i need to grow a beard & start chewing tobacco and wearing a poncho and change my name to clint eastwood And have a 6 button mouse
The internet now is like the wild west with but with no sheriff

 

True, but malware cannot be (1) signed by a trusted authority (e.g., Microsoft) and (2) successfully verified. In other words, the fake signature will fail verification.

For more information on this topic, please see this thread.

 

It does not necessarily have to be a fake signature, can be a stolen one eg, Stuxnet.
The Induc virus is also an example of this with developers thinking it was a clean file.

 

The question "If a file is signed does that mean it is clean?" is a bit on the absurd side. It's like asking "If a banking check is signed, does that mean it's valid?" No, it doesn't. The real question to consider is who signed it (file with digital signature, banking cheque), and do you trust them. If the signature belongs to someone trustworthy, then you might consider trusting the file to be clean. If the signature belongs to someone less trustworthy, then the signature is no indication at all that the file is clean. It's up to you to decide who to trust. Some folks would trust Microsoft, and some wouldn't, for example. Some folks would trust some mostly unknown small-time software house, some would not.

Malware can be signed. An overwhelming majority of cases are either 1) files signed with some no-name certificate that no-one in their right mind would trust (like "Joe Random Corp" or "Rogue Av Du Jour Corp") or 2) files signed by some careless or ignorant developer who gets their development systems compromised (as was the case with legit software with valid digital signatures that was distributed infected with Induc). The rest are cases where a stolen signature is used.

Any AV or security software or user that assumes all signed files are clean is simply nuts. But sadly, many people can't understand the purpose of digital signatures, even if said purpose is written on the signatures. The purpose of a signature isn't to verify the file is clean of malware etc. The purpose is to verify the file really comes from the owner of the signature, and that the file has not been tampered with since it left the hands of the owner of the signature. That's all. If the file was infected when it was sitting on the system of whoever signed the file, the file is still going to be infected when it's distributed, signature and all. This stuff isn't complicated.

 

Yes most people havn't heard of digital signatures/certs, or would know how to check them for authenticity even if they did.

I'm not saying they are totally worthless, but they don't inspire the confidence they were set up to have. The whole cert business needs a good shaking up, and soon.

Personally i don't give a monkeys about them If i want to DL and install something i "might" check the md5 etc, but having used Returnil in the past and now ShadowDefender, i just test in a VE. If it's good i'll keep it, or recommened it, if not or it's malware it gets flushed.

 

Agreed. So, a follow-up question arises: which anti-malware products actually verify the digital signature of an executable file to ensure that it has not been altered during a scan or when the file is downloaded onto a PC?

 

You are so wrong about this. Behold (I've got the following from a new thread debating a similar subject):

http://blog.trendmicro.com/certificate-snatching-zeus-copies-kasperskys-digital-signature/

In that case the certificate belonged to Kaspersky. To paraphrase you I would say: "Since such a certificate belongs to someone trustworthy, in our case Kaspersky, consequently the file is clean, Right? Wrong. "

I'm afraid to say that this is only the tip of the iceberg, probably the worst is yet to come. Kudos to TrendMicro for their effort in unmasking that thief. I think to counter the trend of certificate theft, file reputation analysis is the way to go and TrendMicro as well as Symantec are the leading proponents.

Thanks.

 

No, I'm not. But next time, I'll try to remember to mention that I'm talking about valid digital signatures obviously, and not invalid ones which are obviously not even worth toilet paper.

Behold, old news. Copied certifactes and stolen certificates are nothing new. No news there. But such topics make for scary articles, perhaps. Especially if one a) doesn't understand the technology involved or b) only checks the scary headline of the article. First F-Secure, now Trend Micro. Who's next to write about the scary invalid digital signatures?

Wrong. In that case, there is an invalid Kaspersky signature on the file.

... Let me ask this. Did you read the Trend Micro blog entry you linked to? Did you look at the text, the screenshots? All of it? Unless I'm much mistaken, the Kaspersky signature on that malicious file they write about is invalid. According to Trend Micro: "While checking the certificate, we noticed that the hash value applied to the suspect file was invalid." Invalid. That would mean there's no valid signature on the file, and it cannot be confirmed that the file came from Kaspersky, whose name is on the signature. An invalid digital signature is like having no digital signature - an invalid digital signature on a file doesn't prove anything about the source and origins of the file. Actually, to anyone who knows what they're doing, it makes the file look more suspicious than having no signature at all, since an invalid signature means the file has been tampered with since it left the hands of whoever has their name on the signature, like Kaspersky in this case. Consequently, the file should not be trusted. That's how this stuff works.

To return to what I said, I never claimed that files with invalid signatures can be considered clean. Granted, I also didn't bother to mention that you should only trust valid signatures to be worth anything, and never trust invalid signatures for anything except pointing out there's something seriously wrong about that file. The one time when I don't point out the obvious, it backfires on me immediately. My mistake, I guess.

Trend Micro's article closes with this piece of advice, by the way: "(This) serves as a good reminder to users to always check the details of signatures and to ensure that they are valid."

Yeah, it probably is just a tip of an iceberg: plenty of scary hype articles still to come. To counter the trend of copied digital signatures, you could use file reputation analysis perhaps, or, you know, you could just not trust invalid digital signatures. Whatever floats your boat.

No idea - anti-malware products aren't my cup of tea.

 

If you are not interested in talking objectively about the subject, with all due respect move on to another thread that may have a subject that you like.

If anti-malware products were not your cup of tea why in the world did you bother to grace this thread with your presence? Nice talking to you. So long...

Thanks.

 

Oh, I'm interested in the subject, and I was certainly talking objectively as in based on facts instead of opinion. Fact is, an invalid digital signature is... well, invalid. It's not worth trusting. It's nothing surprising that you can copy signatures on files, and then you'll get files with invalid signatures. That's the nature of the technology. It's a security issue only to people who don't understand how digital signatures work or don't bother to care.

With all due respect, where in the world does it say that this thread is about anti-malware products and that only those who care about anti-malware products may enter? If I had seen such a warning, I surely would not have posted at all. But there ain't no such warning here anywhere. The title is quite clear: "If a file is signed does that mean it is clean?" The answer to the title's question is quite clear, too: "No, it doesn't mean that it's clean." In the first post of the thread, you asked: "What do you think guys?" Folks have been giving answers, regardless of whether they care about anti-malware products or not. My answer's been given, too. If a file has a digital signature from someone you trust, then the file might be considered trustworthy. The digital signature obviously has to be valid to be worth anything, though. If some security software can't understand the difference between a valid and invalid signature, I guess that's a problem for the developers and users of said security software, assuming the users don't check the digital signatures themselves.

 

It appears to me that all of the assertions made by Windchild concerning digital signatures are factually accurate.

In summary, when an executable file is (1) signed by a trustworthy source and (2) the signature has been validated, then the user can be highly confident that (a) the file originated from the source and that (b) the contents of the file have not been altered. Theoretically, digital certificates can be stolen or a user may misjudge the trustworthiness of a source, but otherwise the logical integrity of code signing is solid.

One possible exception: MD5 signatures in code signing have known weaknesses, but real life cases where malware authors have exploited these shortcoming are, to the best of my knowledge, essentially unknown. MD5 is still supported for signing code, but SHA1 is (and has been) the common standard and avoids these considerations.

Brought to my attention by IBK, an excellent and recent presentation by F-Secure on the subject is: It's Signed, therefore it's Clean, right?

 

I was not trying to refute or belittle someone's assertions. I already mentioned the article on the thread's very first post as a reference. As a matter of fact the main idea behind this thread was to be able to have a discussion in order to find possible solutions to this growing problem. Moreover, one of the points of the F-Secure article was to resolve such a problem by getting antivirus companies involved in creating a communication infrastructure between them that will enable the identification of fake or suspect certificates.

Thanks.

 

Here is the bottom line of the F-Secure article

What Should Be Done?

Authenticode is too useful for us to ignore
• We have to work as industry to prevent situation from getting worse
• Currently revocation processes are not working that well
• Getting CAs to react on abuse reports requires a lot of work
• Personally I have not received a single reply or reaction
• We need AV industry wide co-operation to fix this
• We should have way to report compromised keys to each other
• We should have common reporting channel to CAs
• So that we do not have to fight through first level support when we
report abuse case

Reference:

Niemela, Jarno. "News From The Lab." F-Secure.com. F-Secure Corporation, 07/12/2010. Web. 5 Aug 2010. <http://www.f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf>.

So I was NOT trying to disprove someone assertions. My main point on this thread is to have a polite discourse and find solutions.

Thanks.

 

Since I could not have been able to read your mind, therefore I could only rate your answer by what you wrote. Consequently, based upon what you wrote, yes you were wrong. Of course there is always a next time, as you eloquently put. Thus, next time please remember to write exactly what you were thinking so that I would not have the opportunity to tell you that you were wrong.

Thanks.

 

What kind of solutions are we expecting to find here? If we're talking solutions for end-users instead of solutions for people who work inside security companies or certificate authorities, then the first part of the solution obviously ought to be check the validity of any digital signatures you intend to care about. The signature is meaningless if it's not valid. Checking that takes care of the typical copied signature, which will check up as invalid. The end-user can't do that much about the other stuff, except to stay up to date on the news, for example, which might warn of any outbreaks with certain signed malicious files like the LNK exploit malware Stuxnet.

As far as security companies and CAs are concerned, some solutions for them:
- actually check signature validity before assuming the signature means anything
- don't give out certs like candy to random folks, do serious background checking and verification to ensure your clients really are who they claim to be
- establish channels for feedback so you can quickly react to compromised certs or certs given to malicious parties under false company names
Basically, the kind of stuff F-Secure suggests. I suspect no-one has any particularly fancy ideas to solve the problem. It's just the old and obvious stuff: check validity, be careful with who you issue certs to, secure your own certs so Joe Badguy can't walk through the door and take everything, and establish communication channels so you can react to any errors. All of this would be easy if people weren't lazy and ignorant, which leads to sloppy work.

Well, there is something else you could have done, which is something I myself try to do most of the time. Kind of a mother's teachings kind of courtesy thing. And it's this: When reading a statement that can be interpreted to mean either
A. something utterly idiotic (like, say, the idea that invalid signatures are trustworthy)
or
B. something that makes sense,
try to assume the B option or at least don't immediately assume A with great confidence, unless you're confident whoever made the statement is likely to be wrong about most anything.

But yes, I was wrong to assume that people discussing digital signatures in a security forum understood that a digital signature is worthless if it's invalid, and I was wrong to omit the disclaimer that I'm talking about valid signatures only. Next time wiser, as said.

Still, if we're going to really nitpick, I might as well state again that the statement you criticized wasn't actually wrong, regardless of whether I failed to mention valid vs invalid. And there's no mind-reading required to realize this, just plain English-reading, although one does need to do pretty careful reading. My statement of "If the signature belongs to someone trustworthy, then you might consider trusting the file to be clean" is correct unless you fail to read the words "might consider." I try not to play the English teacher, but "might consider" implies possibility, not certainty. "Might consider trusting" is not the same as "you definitely should trust." So, it's quite correct to say that you might consider trusting a file that has the signature of someone trustworthy. In other words, you might consider trusting a signed file only if it has the digital signature of someone you trust, not just because it has some random digital signature. This advice in contrast to the obvious fact that you shouldn't even consider trusting a file that has the signature of someone who isn't trustworthy to you - in these cases, there's nothing to consider, the file just plain isn't trustworthy to you. So, next time, more careful reading.