Digital Signatures

Id like to better understand the concept of digital signatures with regards to software installers and updates. How exactly does it work. How would I know if a product has been digitally signed by the vendor? I have heard that if the installer is tampered with then the signature wont apply. Is this true? If so what are the signs to look out for? Also is it possible for malware writers to spoof a digital signature? If so what are the different ways in which this can be done? For example can they spoof the exact signature? Or something close like hypothetically the signer is Avira inc, but the malware writers use Avira Ltd instead. Can anyone explain how I can use digital signatures to confirm the authenticity of software, and what are some of the potential pitfalls? Thanks.

 

When a digitally signed program is modified after it was signed, no signature appear. When it need admin rights to run, it will popup an "unidentified publisher" dialog (Vista with UAC enabled).
If you read on the publishers website that the program is digitally signed, but your downloaded version is not, it looks suspicious.

 

Thanks for responding softtouch. Is it possible for malware authors to spoof a digital signature?

 

bump!

 

I'd also like to know if malware (or software that isn't technically malware, but is unwanted, like what Avira calls 'fraudulent software', 'application' and 'security privacy risk') can obtain the digital certificates.

Avira's security suite allows by default software from a LOT of vendors (intel, nvidia and many more). I'm not sure if they use a digital certificate.

Kaspersky (2010) seems to use digital certificates, but I don't recall the details since it has been a while since I used it.

 

As I got my digital signature, I had to go through a verification process. First I had to send them documents, copies of ID's with picture, copies of bills etc., then they made a call to my number to verify the information I submitted.

I believe, you can get a digital signature even you are a malware writer, but I also believe that if malware is digitally signed, and somebody report it, the signature will be made invalid by the issuer. Correct me if I am wrong.

 

Is that correct ?

That doesn't seem safe. Distribute signed malware, wait some time till many computers have been infected, then activate the program in question.

IDs can be faked, especially if one lives in a (third-world) country that issues easy to fake IDs. Or if one manages to bribe a government official to get a fake ID. There are other options. Organized crime should be able to do it.

When I was trialling KIS 2010 I didn't feel comfortable with all those signed applications. For as far as I can recall, they had outbound access in the default setup.

Of course, I use custom settings to be more secure, but I didn't like that part of KIS at all.

And in my current Avira suite I have removed all trusted vendors, except for Avira itself, and one other vendor.

 

I removed all trusted vendors from CFP. I have heard of malware that are digitally signed.

 

How do I know if a download is digitally signed? How do I check that?

 

Right click "Properties" on the downloaded file and click the Digital Signatures tab. Select the signature and details and View Certificate to get the info you want to see.... or don't want to see.

 

It never happened so. Stop 1 and stop 2 exe were allowed to execute and then they were able to bypass and they were not infact malware POCs either. Just a nusiance.

BTW I guess you have to add extensions manually in SRP to block. I wonder how many execuatbel extenions you are going to add. I can use a HIPS like CFP or MD just as an anti-executable like SRP very easily and no more lot of pop ups.

"No execution, no infection" is the simplest and strongest security indeed.

 

Yes, there are ITW malware digitally signed.

 

Your configuration might be the cause. On default config Defence Plus doesn,t give execution alerts from explorer. U need to set it to proactive security. I have tested it myself. Execution alert was there sure I believe.

If there was no execution alert, we must see a thread about it in the forums.

 

Hmm.. I tested them myself at that time infact but now i don,t remember, May be it,s something specific to arran. Did u test urself at that time?

 

Ok, you are right. Sorry for missing the posts.

 

Hi guys,

Thanks for all the responses. What I am particularly interested in is malware which attempts to spoof legitimate software from trusted sources. How similar a signature can a malware author get to the real thing.

Hypothetically speaking can a malware author attempting to spoof lets say antivir free get a similar signature as that used by avira? Or atleast one that could fool you into thinking that the signature is from avira?

And what is better to ascertain the authenticity and integrity of something you have downloaded, digital signatures or MD5/SHA 1 hashes? Thanks.

 

As far as I know (and experienced), there are 2 kind of digital signatures, one for companies, where the signature show the registered company name, andone for individual, where the sognature show the person's name.

If you want a signature like avira ltd., then your company must be registered as that. The issuer won't issue a certificate where the name is different (at least that the way it should be... I am sure there's a way around it.)

 

So lets say antivir is produced by Avira Inc. And a malware writer in order to spoof aviras digital signature registers a bogus company called Avira Ltd. How easy would it be for him/her to obtain a digital signature for avira ltd?

Also would it be possible for him to create a bogus company with the exact same name as the real Avira, in this case Avira Inc and get a signature for that? Thanks.

 

He would have to submit documents to the issuer. Of course, how could the issuer know how legal documents of every country in the world would look like?
And, he can fax the documents, or send them by email to the issuer. That means, they are scanned, which allow him to modify them in the computer...

 

So basically digital signatures can be spoofed and cannot really be trusted?