Forging of digital signatures by malware?

I've noticed that some firewall/HIPS combos, particularly Privatefirewall and Outpost Free, have trusted digital signatures for certain vendors. In Privatefirewall you can supposedly remove the exceptions, but exceptions will in fact remain even after "removal"; in Outpost, as far as I can tell, you simply can't even pretend to remove any of them.

Is it just me, or is this a bad idea? How hard can it be for a malware writer to forge a "valid" digital signature, bypassing the execution control complete? Have there been any ITW examples of such?

 

Very doubtful. Digital signatures are encrytped and specific to the vendor. I think it would be harder to do, than find another way to infect.

 

But we've seen some malware (e.g. Conficker, Torpig) that's obviously designed with the help of encryption experts...

 

I might have spoke to soon. Check this out....http://www.zdnet.co.uk/news/security-management/2004/08/18/digital-signatures-could-be-forged-39163876/

 

I don't believe any digital signatures use MD5 anymore, as, as you can see by the date on that article, it has been broken for some time. IIRC, SHA-1 is still secure.

 

Whoops my bad. I didn't even look at the date.

 

The only easy way is gain access to a trusted vendors machine, swipe his keys/certificate then compile and sign malware code with them.

 

Yes there is, this one for example: http://info.prevx.com/aboutprogramtext.asp?PX5=59273DE5484BD24C36D9014572A13E00677EC90F

 

Hmm so that forges Lavalys' signature? Interesting. I wonder how that happened.

 

Interesting topic. I've always deselected any options to implicitly trust signed files and so far in MD and avast!, I haven't noticed any performance hits from doing so.

From what's been posted so far, it sounds like it is only a matter of time before SHA-1 will be broken as well.

 

Unfortunately in several HIPS it's not possible to disable the exceptions for software with recognized digital signatures.

 

That's not good!

 

I guess it depends whether the signature/certificate is being verified with WinVerifyTrust(...). If it is, then the fakes will fail miserably.

All that's being done by the malware authors is ripping the version info from the legitimate file and placing that in the malware file. The certificate is always appended to the end of the file (an overlay). Take the overlay and append to malware - now you fool the unsuspecting.

 

It's more common than people might think, has been happening for some time, and i expect it to continue Here's just a few links i found, of many, that have more details and proof.


SSL security flaw with MD5 certificates announces today http://www.broadbandreports.com/forum/remark,21655254

Man In The Middle (MITM) exploit http://www.broadbandreports.com/forum/remark,23625598

"Funky" Microsoft site certificate? http://www.broadbandreports.com/forum/remark,17579410

nul. /c del - Comes free with this Nasty ! http://www.broadbandreports.com/forum/remark,16530241

Digital Signatures https://www.wilderssecurity.com/showthread.php?t=253936

Trust ain't what it used to mean

 

Since the private key (certificate) is protected by a passphrase, the adversary would need to know that information as well in order to sign code. Additionally, if the company uses key splitting (in which multiple people must collaborate in order to rejoin the private key), then the risk is further reduced.

Based upon my understanding of the process of signing an executable, this technique would not work. After a file is digitally signed, any alteration of the executable would result in a validation failure -- i.e., the signature provides authentication (knowing the file’s creator) and integrity (knowing the file’s contents are unchanged).

 

Can you please provide descriptions of recent occurrences? The old MD5 problem is history, I believe; and a man-in-the-middle attack does not succeed because certificates are “forged.”

Thank you.

 

It's not a bad idea - assuming the digital signatures are checked properly. Everything becomes a bad idea when done wrong...

Extremely hard. To put some perspective on the issue, let's try to find a malware sample that uses a forged digital signature from some "trusted vendor" and that signature actually properly checks out on the malware executable, instead of giving an invalid signature error when checked. Anyone got such a sample? I didn't think so... But you could also ask your trusted security software vendor of choice how easy it is to forge valid digital signatures.

None that I know of. Many people are confused about digital signatures, though, and fail to understand the difference between "a malicious file that is digitally signed with the signature of some random dude with some random name" and "a malicious file that is digitally signed with the signature of a trusted vendor such as Mozilla". Finding examples of the former ain't hard - fake AVs and adware type stuff, for example, is occasionally digitally signed, but the signature belongs to an untrusted, unknown vendor. So, yeah, there is certainly malware that's digitally signed. And that's not a problem in any way. A file isn't trustworthy because it has a digital signature. A file is trustworthy because it has the digital signature of a vendor you trust. But the confused folks think that any valid digital signature is supposed to be some kind of guarantee that the file is "clean" and legit. That's really not the way to think. Instead, the key question is whose valid digital signature is on the file, and do you trust them?

That PrevX file "info" page really doesn't tell the real story of that file as far as digital signatures are concerned. Questions left hanging and unanswered:
1) Is that file even actually malware, or just some legit file used by some malware? If it's the latter, then it's no wonder if it's signed by a legit vendor...
2) If the file is actually malware, does it even have a digital signature, or just misleading version information "LAVALYS; VeriSign Class 3 Code Signing 2004 CA" that kinda makes it look like it might be signed, maybe, to the untrained eye? Consider that this PrevX page does not actually say the file is signed, it just speaks of version information: "A file with the name 65569695.DAT have been seen to have the following Vendor, Product and Version Information in the file header"
3) If the file is malware and does have the digital signature of a legit software vendor, does the signature check out as valid? Or is it a case of "file might look signed in Windows Explorer, but when you try and check the signature, turns out that the signature is invalid, meaning the file has been tampered with and should not be trusted"?
4) If the file is malware and has a valid digital signature from a trusted vendor, is it really a forged signature - or is it a stolen one?

Me? My guess is that instead of a forged or even stolen digital signature, it's just a bunch of funky version information on the file.

Except that none of those links show a case where a digital signature was forged. You've got the issue confused a little, I believe.
It's very easy to make malware that has a valid digital signature.
It's extremely difficult to make malware that has the valid digital signature of some trusted third party, like Mozilla.

Or in other words, basically what Pleonasm said.

 

Lavalys certificate



Backdoor.Win32.Hodprot.ev - fails validation as expected.

 

Malware with Digital Signature? Can't believe it..

 

Emphasis mine. As said, one can put digital signatures on files. The difficulty is in putting someone else's digital signature on your file and have the signature actually check out as valid.

Edit: nice screenshots, though. I'm actually one of those people who likes the new Aero look...

 

For those who may be interested, the Microsoft article Introduction to Code Signing provides a concise overview of the process.

 

Thanks Windchild, I guess in that case my execution control is safe. For now.

 

Digital signature is safe and can't be manipulated without breaking it. You need to steal the key, only then you can sign your files as trusted coming from a XYZ manufacturer. If I remember well it happened once to Microsoft, but the key was black listed fast enough. Done.

Fax

 

If you mean to select which vendors? No that is not an option.

The option to "Automatically allow applications signed by trusted vendors." is just that an option, Uncheck that box and there is no feature. Remove any rules that were created for said applications and they are gone.

The feature in Outpost it not simply to allow any application with a signature from a trusted vendor. The application still has to be in the Improvenet list which carries its own identification factors. So stolen certificate or not, a malware would not be automatically allowed.

 

Oh, I didn't notice that option... D'oh. PrivateFirewall appears not to have a similar one unfortunately, though.