Issued for Abuse: Measuring the Underground Trade in Code Signing Certificate

03/08/2018
by   Kristián Kozák, et al.
0

Recent measurements of the Windows code-signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures. However, the underground trade that allows miscreants to acquire such certificates is not well understood. In this paper, we illuminate two aspects of this trade. First, we investigate 4 leading vendors of Authenticode certificates, we document how they conduct business, and we estimate their market share. Second, we collect a data set of recently signed malware and we use it to study the relationships among malware developers, malware families and the certificates. We also use information from the black market to fingerprint the certificates traded and to identify when the are likely used to sign malware in the wild. Using these methods, we document a shift in the methods that malware authors employ to obtain valid digital signatures. While prior studies have reported the use of code-signing certificates that had been compromised or obtained directly from legitimate Certification Authorities, we observe that, in 2017, these methods have become secondary to purchasing certificates from underground vendors. We also find that the need to bypass platform protections such as Microsoft Defender SmartScreen plays a growing role in driving the demand for Authenticode certificates. Together, these findings suggest that the trade in certificates issued for abuse represents an emerging segment of the underground economy.

READ FULL TEXT

page 11

page 13

page 14

research
05/28/2020

SourceFinder: Finding Malware Source-Code from Publicly Available Repositories

Where can we find malware source code? This question is motivated by a r...
research
06/27/2023

Malware Finances and Operations: a Data-Driven Study of the Value Chain for Infections and Compromised Access

We investigate the criminal market dynamics of infostealer malware and p...
research
03/30/2021

Analysis and Correlation of Visual Evidence in Campaigns of Malicious Office Documents

Many malware campaigns use Microsoft (MS) Office documents as droppers t...
research
11/14/2020

HackerScope: The Dynamics of a Massive Hacker Online Ecosystem

Authors of malicious software are not hiding as much as one would assume...
research
05/28/2019

Hydras and IPFS: A Decentralised Playground for Malware

Modern malware can take various forms, and has reached a very high level...
research
10/13/2022

SoK: How Not to Architect Your Next-Generation TEE Malware?

Besides Intel's SGX technology, there are long-running discussions on ho...
research
02/15/2013

Bio-inspired data mining: Treating malware signatures as biosequences

The application of machine learning to bioinformatics problems is well e...

Please sign up or login with your details

Forgot password? Click here to reset