Digitally signed malware is becoming routine

Even the bad guys are using code-signing certificates.

According to a recent report by McAffe

"more than 200,000 new and unique malware binaries discover in 2012 have valid digital signatures"

What this means is that attackers are able to provide malware versions of applications and drivers that look like they come from legitimate sources. While most of the malware detected comes from test-signing attacks, which can be detected and disabled, the more problematic signed malware comes from certificates issued by compromised Certificate Authorities. A compromised CA can generate a signing certificate that imitates a popular vendor like Apple, Adobe, Google, or Microsoft.

Anti-malware vendors are aware of this and, if you're running an effective anti-malware scanner, it should detect malware even when it is digitally signed. The problem comes for people running operating systems without anti-malware scanners who are relying on digital signatures as a way of sorting legitimate code from the more nefarious stuff. Even if operating systems of the future only run signed code, it looks as though the malware authors of today have a way around it.

Follow me on twitter: @orinthomas

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.