Forging of digital signatures by malware?

Discussion in 'other firewalls' started by Gullible Jones, May 26, 2010.

Thread Status:
Not open for further replies.
  1. I've noticed that some firewall/HIPS combos, particularly Privatefirewall and Outpost Free, have trusted digital signatures for certain vendors. In Privatefirewall you can supposedly remove the exceptions, but exceptions will in fact remain even after "removal"; in Outpost, as far as I can tell, you simply can't even pretend to remove any of them.

    Is it just me, or is this a bad idea? How hard can it be for a malware writer to forge a "valid" digital signature, bypassing the execution control complete? Have there been any ITW examples of such?
     
  2. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Very doubtful. Digital signatures are encrytped and specific to the vendor. I think it would be harder to do, than find another way to infect.
     
  3. But we've seen some malware (e.g. Conficker, Torpig) that's obviously designed with the help of encryption experts...
     
  4. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
  5. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
  6. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Whoops my bad. I didn't even look at the date.
     
  7. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    The only easy way is gain access to a trusted vendors machine, swipe his keys/certificate then compile and sign malware code with them.
     
  8. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  9. Hmm so that forges Lavalys' signature? Interesting. I wonder how that happened.
     
  10. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Interesting topic. I've always deselected any options to implicitly trust signed files and so far in MD and avast!, I haven't noticed any performance hits from doing so.

    From what's been posted so far, it sounds like it is only a matter of time before SHA-1 will be broken as well.
     
  11. Unfortunately in several HIPS it's not possible to disable the exceptions for software with recognized digital signatures. :eek:
     
  12. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    That's not good! :thumbd:
     
  13. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    I guess it depends whether the signature/certificate is being verified with WinVerifyTrust(...). If it is, then the fakes will fail miserably.

    All that's being done by the malware authors is ripping the version info from the legitimate file and placing that in the malware file. The certificate is always appended to the end of the file (an overlay). Take the overlay and append to malware - now you fool the unsuspecting.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    It's more common than people might think, has been happening for some time, and i expect it to continue :( Here's just a few links i found, of many, that have more details and proof.


    SSL security flaw with MD5 certificates announces today http://www.broadbandreports.com/forum/remark,21655254

    Man In The Middle (MITM) exploit http://www.broadbandreports.com/forum/remark,23625598

    "Funky" Microsoft site certificate? http://www.broadbandreports.com/forum/remark,17579410

    nul. /c del - Comes free with this Nasty ! http://www.broadbandreports.com/forum/remark,16530241

    Digital Signatures https://www.wilderssecurity.com/showthread.php?t=253936

    Trust ain't what it used to mean :(
     
  15. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Since the private key (certificate) is protected by a passphrase, the adversary would need to know that information as well in order to sign code. Additionally, if the company uses key splitting (in which multiple people must collaborate in order to rejoin the private key), then the risk is further reduced.

    Based upon my understanding of the process of signing an executable, this technique would not work. After a file is digitally signed, any alteration of the executable would result in a validation failure -- i.e., the signature provides authentication (knowing the file’s creator) and integrity (knowing the file’s contents are unchanged).
     
  16. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Can you please provide descriptions of recent occurrences? The old MD5 problem is history, I believe; and a man-in-the-middle attack does not succeed because certificates are “forged.”

    Thank you.
     
  17. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    It's not a bad idea - assuming the digital signatures are checked properly. Everything becomes a bad idea when done wrong...

    Extremely hard. To put some perspective on the issue, let's try to find a malware sample that uses a forged digital signature from some "trusted vendor" and that signature actually properly checks out on the malware executable, instead of giving an invalid signature error when checked. Anyone got such a sample? I didn't think so... But you could also ask your trusted security software vendor of choice how easy it is to forge valid digital signatures.

    None that I know of. Many people are confused about digital signatures, though, and fail to understand the difference between "a malicious file that is digitally signed with the signature of some random dude with some random name" and "a malicious file that is digitally signed with the signature of a trusted vendor such as Mozilla". Finding examples of the former ain't hard - fake AVs and adware type stuff, for example, is occasionally digitally signed, but the signature belongs to an untrusted, unknown vendor. So, yeah, there is certainly malware that's digitally signed. And that's not a problem in any way. A file isn't trustworthy because it has a digital signature. A file is trustworthy because it has the digital signature of a vendor you trust. But the confused folks think that any valid digital signature is supposed to be some kind of guarantee that the file is "clean" and legit. That's really not the way to think. Instead, the key question is whose valid digital signature is on the file, and do you trust them?

    That PrevX file "info" page really doesn't tell the real story of that file as far as digital signatures are concerned. Questions left hanging and unanswered:
    1) Is that file even actually malware, or just some legit file used by some malware? If it's the latter, then it's no wonder if it's signed by a legit vendor...
    2) If the file is actually malware, does it even have a digital signature, or just misleading version information "LAVALYS; VeriSign Class 3 Code Signing 2004 CA" that kinda makes it look like it might be signed, maybe, to the untrained eye? Consider that this PrevX page does not actually say the file is signed, it just speaks of version information: "A file with the name 65569695.DAT have been seen to have the following Vendor, Product and Version Information in the file header"
    3) If the file is malware and does have the digital signature of a legit software vendor, does the signature check out as valid? Or is it a case of "file might look signed in Windows Explorer, but when you try and check the signature, turns out that the signature is invalid, meaning the file has been tampered with and should not be trusted"?
    4) If the file is malware and has a valid digital signature from a trusted vendor, is it really a forged signature - or is it a stolen one?

    Me? My guess is that instead of a forged or even stolen digital signature, it's just a bunch of funky version information on the file.

    Except that none of those links show a case where a digital signature was forged. You've got the issue confused a little, I believe.
    It's very easy to make malware that has a valid digital signature.
    It's extremely difficult to make malware that has the valid digital signature of some trusted third party, like Mozilla.

    Or in other words, basically what Pleonasm said. :D
     
  18. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    Lavalys certificate

    [​IMG]

    Backdoor.Win32.Hodprot.ev - fails validation as expected.
     
    Last edited: May 27, 2010
  19. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Malware with Digital Signature? Can't believe it..:ninja:
     
  20. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Emphasis mine. ;) As said, one can put digital signatures on files. The difficulty is in putting someone else's digital signature on your file and have the signature actually check out as valid.

    Edit: nice screenshots, though. I'm actually one of those people who likes the new Aero look...
     
    Last edited: May 27, 2010
  21. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
  22. Thanks Windchild, I guess in that case my execution control is safe. For now.
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Digital signature is safe and can't be manipulated without breaking it. You need to steal the key, only then you can sign your files as trusted coming from a XYZ manufacturer. If I remember well it happened once to Microsoft, but the key was black listed fast enough. Done. :)

    Fax
     
  24. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    If you mean to select which vendors? No that is not an option.

    The option to "Automatically allow applications signed by trusted vendors." is just that an option, Uncheck that box and there is no feature. Remove any rules that were created for said applications and they are gone.

    The feature in Outpost it not simply to allow any application with a signature from a trusted vendor. The application still has to be in the Improvenet list which carries its own identification factors. So stolen certificate or not, a malware would not be automatically allowed.
     
  25. Oh, I didn't notice that option... D'oh. :oops: PrivateFirewall appears not to have a similar one unfortunately, though.
     
Thread Status:
Not open for further replies.