Digital Signatures

Discussion in 'other software & services' started by Dregg Heda, Sep 22, 2009.

Thread Status:
Not open for further replies.
  1. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Id like to better understand the concept of digital signatures with regards to software installers and updates. How exactly does it work. How would I know if a product has been digitally signed by the vendor? I have heard that if the installer is tampered with then the signature wont apply. Is this true? If so what are the signs to look out for? Also is it possible for malware writers to spoof a digital signature? If so what are the different ways in which this can be done? For example can they spoof the exact signature? Or something close like hypothetically the signer is Avira inc, but the malware writers use Avira Ltd instead. Can anyone explain how I can use digital signatures to confirm the authenticity of software, and what are some of the potential pitfalls? Thanks.
     
  2. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    When a digitally signed program is modified after it was signed, no signature appear. When it need admin rights to run, it will popup an "unidentified publisher" dialog (Vista with UAC enabled).
    If you read on the publishers website that the program is digitally signed, but your downloaded version is not, it looks suspicious.
     
  3. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks for responding softtouch. Is it possible for malware authors to spoof a digital signature?
     
  4. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    bump!
     
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I'd also like to know if malware (or software that isn't technically malware, but is unwanted, like what Avira calls 'fraudulent software', 'application' and 'security privacy risk') can obtain the digital certificates.

    Avira's security suite allows by default software from a LOT of vendors (intel, nvidia and many more). I'm not sure if they use a digital certificate.

    Kaspersky (2010) seems to use digital certificates, but I don't recall the details since it has been a while since I used it.
     
  6. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    As I got my digital signature, I had to go through a verification process. First I had to send them documents, copies of ID's with picture, copies of bills etc., then they made a call to my number to verify the information I submitted.

    I believe, you can get a digital signature even you are a malware writer, but I also believe that if malware is digitally signed, and somebody report it, the signature will be made invalid by the issuer. Correct me if I am wrong.
     
  7. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069

    Is that correct ?

    That doesn't seem safe. Distribute signed malware, wait some time till many computers have been infected, then activate the program in question.

    IDs can be faked, especially if one lives in a (third-world) country that issues easy to fake IDs. Or if one manages to bribe a government official to get a fake ID. There are other options. Organized crime should be able to do it.

    When I was trialling KIS 2010 I didn't feel comfortable with all those signed applications. For as far as I can recall, they had outbound access in the default setup.

    Of course, I use custom settings to be more secure, but I didn't like that part of KIS at all.

    And in my current Avira suite I have removed all trusted vendors, except for Avira itself, and one other vendor.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I removed all trusted vendors from CFP. I have heard of malware that are digitally signed.
     
  9. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    How do I know if a download is digitally signed? How do I check that?
     
  10. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Right click "Properties" on the downloaded file and click the Digital Signatures tab. Select the signature and details and View Certificate to get the info you want to see.... or don't want to see. :)
     

    Attached Files:

  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It never happened so. Stop 1 and stop 2 exe were allowed to execute and then they were able to bypass and they were not infact malware POCs either. Just a nusiance.

    BTW I guess you have to add extensions manually in SRP to block. I wonder how many execuatbel extenions you are going to add. I can use a HIPS like CFP or MD just as an anti-executable like SRP very easily and no more lot of pop ups.

    "No execution, no infection" is the simplest and strongest security indeed.
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, there are ITW malware digitally signed.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Your configuration might be the cause. On default config Defence Plus doesn,t give execution alerts from explorer. U need to set it to proactive security. I have tested it myself. Execution alert was there sure I believe.

    If there was no execution alert, we must see a thread about it in the forums.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmm.. I tested them myself at that time infact but now i don,t remember, May be it,s something specific to arran. Did u test urself at that time?
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, you are right. Sorry for missing the posts.
     
  16. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi guys,

    Thanks for all the responses. What I am particularly interested in is malware which attempts to spoof legitimate software from trusted sources. How similar a signature can a malware author get to the real thing.

    Hypothetically speaking can a malware author attempting to spoof lets say antivir free get a similar signature as that used by avira? Or atleast one that could fool you into thinking that the signature is from avira?

    And what is better to ascertain the authenticity and integrity of something you have downloaded, digital signatures or MD5/SHA 1 hashes? Thanks.
     
  17. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    As far as I know (and experienced), there are 2 kind of digital signatures, one for companies, where the signature show the registered company name, andone for individual, where the sognature show the person's name.

    If you want a signature like avira ltd., then your company must be registered as that. The issuer won't issue a certificate where the name is different (at least that the way it should be... I am sure there's a way around it.)
     
  18. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So lets say antivir is produced by Avira Inc. And a malware writer in order to spoof aviras digital signature registers a bogus company called Avira Ltd. How easy would it be for him/her to obtain a digital signature for avira ltd?

    Also would it be possible for him to create a bogus company with the exact same name as the real Avira, in this case Avira Inc and get a signature for that? Thanks.
     
  19. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    He would have to submit documents to the issuer. Of course, how could the issuer know how legal documents of every country in the world would look like?
    And, he can fax the documents, or send them by email to the issuer. That means, they are scanned, which allow him to modify them in the computer...
     
  20. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So basically digital signatures can be spoofed and cannot really be trusted?
     
Thread Status:
Not open for further replies.