According to a recent post on the F-Secure blog – they’ve found malware that was signed using a code signing certificate from a CA owned by the Malaysian government. Malware signed by a trusted CA is especially pernicious as signed applications are less likely to throw warning errors at the user when downloaded from the Internet than applications that have no digital signature. In the case of the malware found by F-Secure, the malware is signed as though it was authored by Adobe Systems Incorporated. We’re so used to thinking about CAs being invulnerable that if if our computer tells us that an application appears to be digitally signed by a reputable software company, who are we to disagree with that assessment.
As Malware production and distribution becomes more commonplace, expect increasing numbers of attacks on CAs to get signing certificates. As with most attacks, there will be successful attacks that we find out about (though the loss of faith in the CA after such an attack probably spells the end of the CA as a commercial entity) but there will also be successful attacks that we are unaware of. CAs that aren’t aware that their processes have been compromised and that malware authors are using their certs to sign malicious software.
Professional malware operations can invest the time to compromise CAs as a further way of ensuring that their malware spreads. They don’t need to go for the secure CAs up at the top of the trust chain – they just have to hit the ones a bit further down the tree. The ones that don’t have great security, but are still able to issue certificates trusted by the majority of people’s computers. Phishing attacks will certainly be a lot harder to detect if the SSL certificate identifying the site as being associated with your bank has been generated by a compromised trusted CA.