Why You Shouldn't Completely Trust Files Signed with Digital Certificates

Discussion in 'malware problems & news' started by Minimalist, Jan 29, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    https://securelist.com/blog/securit...trust-files-signed-with-digital-certificates/
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    It's not only cyber-criminals.

    I'd like to see an independent signature publication of all drivers from Realtek and Jmicron for example, preferably backed by the manufacturers. Trust in the certificates is greatly reduced.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    One of the first options I set with SSM pro is disabling the "trust signed binaries" and "silent checksum update for digitally signed files" options. This system is broken. As long as certificate authorities are in the equation, it will remain broken. Stuxnet used signed files, as does most other government malware. Signing keys can be stolen, coerced, or "legally required" from vendors. My system trusts file hashes only. The classic HIPS uses one hash. The integrity checker uses another. A good adversary might be able to create a malicious replacement file where one of the hashes match. I seriously doubt that they can make it match more than one.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    I did similar with Malware Defender. I also don't set any certificate rules when setting up SRP.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'd bet that the components for WGA were signed files, even though they were little more than spyware.
     
  6. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Wouldn't a properly configured HIPS with capability of disabling/not allowing applications even though the
    digital certificates are considered valid?
     
  7. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I haven't read the article but from OP's quote there're some debatable points.
    Certificate should never be used as an indication that the file doesn't contain malicious code and AFAIK no modern AV (not HIPS) automatically trust a file just because it is properly signed.

    The cert just proves that the file is not modified and who developed the file as well as who authenticated it, besides some additional info e.g. there're grade in cert that indicates how strict audit was done and how more money the dev paid.

    Of course there're some holes in current system, not only compromised cert but also e.g. spoof Windows UAC prompt's cert info or interfere with installation process. So I'll read it anyway.
     
Loading...