The Rise of Digitally Signed Malware

Discussion in 'other security issues & news' started by Rasheed187, Mar 11, 2014.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    That´s why I never use the option in HIPS to automatically trust signed apps. :)

    For more info, see page 9 of the PDF file on this page:

    http://www.mcafee.com/us/about/news/2014/q1/20140310-01.aspx
     
  2. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Quis custodiet ipsos custodes? :(
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I wonder if this counts legitimate "downloaders" with bundled adware.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Totally agree. On SSM, that's one of the first options I deselect.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    "Who will guard the guards themselves?" I had to look it up. ;)

    But yes, you can trust no app. They are guilty until proven innocent. :cool:
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I would extend that to include updates, both to applications and to the operating system.
     
  7. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    I use several unsigned software (Openoffice, Stunnel etc) and initially felt slightly uncomfortable about the unsigned condition of those, but recently my gut feeling says "trust the developer [and user base] not the certificate". Combined with a matching sha256 it's good to go for me. Of course, a certificate on top of that won't hurt. :D
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    sha256sum doesn't mean anything if someone has falsified the checksum.

    (OpenOffice should be providing GPG verified checksums for their installers though. I'd be quite surprised, and disappointed, if they don't...)
     
  9. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    Checksums could make sense if there are multiple sources for the same file/installer. Of course, if the "master server" unknowingly is serving a malicious installer and a fake checksum and also propagates its files to alternative download sites it's all lost.

    OpenOffice presents checksums for their installers, but one has to look for it (it's not available next to your download-file-link as this would be the common way):

    -http://www.openoffice.org/download/checksums/3.4.1_checksums.html
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I rarely bother verifying checksums or even care whether or not the file is signed. Simply downloading from known trusted sites has never failed me once in many years.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If an adversary was going to take the time to create a malicious installer and file hash, what's to prvent them from creating a new key with the original name, uploading it to the keyserver and signing the file with that key? How far do you want to go with checking key trust? If an adversary can compromise a file server, what prevents them from doing the same with a key server? Unless you receive that signing key directly from the issuers hand, you're trusting that the infrastructure that stores and delivers that key hasn't been compromised. With 3 letter agencies compromising servers and creating malware, that is no longer assured.
    It doesn't matter if the verification is a checksum or an armored signature file. What matters is the integrity of the system or individual from which you obtain it.

    edit
    A current example of fake keys. The potential implications are clear.
    https://lists.torproject.org/pipermail/tor-dev/2014-March/006422.html
    How bad can it get? What would stop the same adversary from modifying the page I just linked to?
     
    Last edited: Mar 16, 2014
  12. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    True. Like in security, the trust will have to stem from the multi layered approach - the combined layers such as digital signatures, hash, source, author's trust. But there are no guarantees.
     
    Last edited: Mar 21, 2014
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes exactly, I always turn auto-update off. :)

    Check this thread out, they got owned because of auto-update:

    https://www.wilderssecurity.com/showthread.php?t=360750
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I think it's a matter of time until we see that happen with a mainstream application or an operating system. I wouldn't be surprised if it's already happening with closed source aplications and operating systems, given some of them cooperating/collaberating with the NSA. The combination of rapid update policies and auto-updating would make it quite easy for a large adversary like a government agency to compromise people en masse, something the NSA has made clear they want to do.

    This is one of several reasons I chose to make updating and installing a manual, "administrator only" task. I also make a backup of the OS before I update or install anything new, just in case the update/application causes problems or has features I don't want. On several occasions I've reverted to earlier versions of apps due to incompatibilities, feature creep, bloat, or undesired behaviors. With backup images, I don't have to worry about what an uninstaller might miss or with putting settings back where I want them.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes exactly.

    Here a couple of more interesting articles:

    https://blogs.mcafee.com/mcafee-labs/digitally-signed-malware-just-what-can-you-trust-now
    http://www.pcworld.com/article/2519...s_increasingly_prevalent_researchers_say.html
    http://www.symantec.com/connect/blogs/64-bit-system-driver-infected-and-signed-after-uac-bypassed
     
  16. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    A difficult balance. On the one hand a program update most likely contains security patches. On the other hand, the update might've been tampered with. So how long does one wait to apply a patch?
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    That´s true. But if you´re running 3 HIPS on one machine, do we even need patches? :D
     
  18. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Haha, that's one way to look at the problem.
    Well, perhaps it's best to wait 1-2 days and see if others are having problems first!

    The only software I auto update is Chrome and Windows.
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On those few virtual systems that I still patch, it's more a question of "if" than "when" I patch. When MS passed WGA as a security update, it made me very selective about updating. Some of the updates cause the same problems as new applications, namely changing settings. On a few occasions, patches have re-enabled services I had disabled. My primary/virtual host system is unsupported and hasn't seen an official patch in many years. It runs on unofficial upgrades. That said, a hardened attack surface and classic HIPS go a long way.

    Regarding updating applications, if the update doesn't fix a problem or add an ability that I need, I usually don't update. With browsers for example, a lot of the changes are cosmetic or feature creep, with broken extensions and calling home for increasing numbers of reasons topping the list. The "security improvements" in the newer versions are being offset by erosions of privacy.
     
  20. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    I tend to do like you. Microsoft - I install only critical updates. But I always check the Recommended updates just to see if it adds to stability etc. I think I've skipped several dozens Recommended patches so far and it's been time consuming to check each and every KB online to see what it adds to the system. But I am satisfied to know my system has less bloat.

    Non MS software - I rarely need the newest features anyway, I update them only if they contain security patches.
    With Chrome, I have never skipped updates because they always contain critical patches. :)

    It can be noted that sometimes security patches are not specifically mentioned, they're merely categorized as bug fixes. I think Linux has done this in the past or was it Linus that said all security patches are bug patches and felt there was no need to point out that some of them were actually security patches?
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Believe it or not, I haven´t even patched my old Win XP machine in 4 years. It´s protected by HIPS + firewall + common sense. Guess what, not a single infection. But it might have been luck and of course I wouldn´t recommend this approach to average Joe. :)

    Back on topic:

    When testing SpyShelter I did select the option "allow signed apps", and it was a bit refreshing to see how it didn´t bother you with any alerts anymore. But why use HIPS, if you don´t want to be bothered? I was also shocked to see how many software companies are considered trustful, in Comodo´s HIPS database. I mean that´s just asking for trouble. o_O
     
  22. guest

    guest Guest

    To keep the whiners quite. :ninja:

    But I see no problem as long as it can be disabled. Well, perhaps it will bloat the updates, but at least you still have a way to keep control of what your computer can do. It's not like the software is dumbed-down pass repairable. So again, it's not something to worry about IMO.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    We run very different configurations. On SSM, when the UI is disconnected, there are no prompts of any kind. Any activity that doesn't fall under the list of what's allowed is silently blocked. The only time I connect the UI is when I'm updating or installing or running something new, which is very seldom. Except for a couple of "unzip and go" apps, my system hasn't changed in nearly a year.

    Regarding HIPS that rely on vendor databases or whitelists, this reintroduces many of the problems that HIPS were originally designed to avoid, including:
    1, Incomplete listings.
    2, Out of date listing.
    3, Reliance on a vendors database.
    4, The security of the vendors servers, and the security of the internet that delivers that database to the security software.
    5, The integrity and trustworthiness of the vendor. IMO, Comodo is very questionable.
    6, Reliance on the vendors decisions regarding what is and is not acceptable. Remember when adware removers were becoming common, when threats of legal actions and such coerced some removers to drop detections of apps that no one wanted?

    IMO, trying to create and maintain a database of everything that's safe or trustworthy is as futile as trying to make one of all of the malicious code. Both are in the millions and change by the moment. Myself, I don't need a whitelist of everything that someone else considers trustworthy. The only whitelist I want is of the apps that I use, the system executables that need to run during normal usage, and how they're allowed to interact.
     
  24. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @noone_particular, a setup like that is wonderful, until you start compiling stuff (too many binaries to deal with) or using full-featured scripting languages (which breaks a lot of the security).
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I think you misunderstood me. I´ve just switched to a new machine (from Win XP to Win 8.1) and I was only testing SpyShelter. Because it´s a new machine, I need to install quite a lot.

    Normally I also use a HIPS in the way you described, so you make a list of allowed apps, give them certain permissions, and if you don´t install a whole lot of new apps, you almost won´t get to see any alerts at all. :)

    I completely agree. :thumb:
     
Loading...
Thread Status:
Not open for further replies.