Microsoft and Symantec push to combat key, code-signed malware

An alarming growth in malware signed with fraudulently obtained keys and code-signing certificates in order to trick users to download harmful code is prompting Microsoft and Symantec to push for tighter controls in the way the world's certificate authorities issue these keys used in code-signing.

It's not just stolen keys that are the problem in code-signed malware but "keys issued to people who aren't who they say they are," says Dean Coclin, senior director of business development in the trust services division at Symantec.

Coclin says China, Brazil and South Korea are the hot spots today where the problem of malware signed with certificates and keys obtained from certificate authorities is the worst right now. "We need a uniform way to vet companies and individuals around the world," says Coclin. He says that doesn't really exist today for certificates used in code-signing, but Microsoft and Symantec are about to float a plan that might change that.

[RELATED:McAfee research shows sharp rise in malware signed with legitimate digital certificate]

Code-signed malware appears to be aimed mostly at Microsoft Windows and Java, maintained by Oracle, says Coclin, adding that malicious code-signing of Android apps has also quickly become a lawless "Wild West."

Under the auspices of the Certificate Authority/ Browser Forum, an industry group in which Microsoft and Symantec are members, the two companies next month plan to put forward what Coclin describes as proposed new "baseline requirements and audit guidelines" that certificate authorities would have to follow to verify the identity of purchasers of code-signing certificates. Microsoft is keenly interested in this effort because "Microsoft is out to protect Windows," says Coclin.

These new identity-proofing requirements will be detailed next month in the upcoming CAB Forum document from its Code-Signing Group. The underlying concept is that certificate authorities would have to follow more stringent practices related to proofing identity, Coclin says.

The CAB Forum includes the main Internet browser software makers, Microsoft, Google, Opera Software and The Mozilla Foundation, combined with many of the major certificate authorities, including Symantec's  own certificate authority units Thawte and VeriSign, which earlier acquired GeoTrust.

Several other certificate authorities, including Comodo, GoDaddy, GlobalSign, Trustwave and Network Solutions, are also CAB Forum members, plus a number of certificate authorities based abroad, such as Chunghwa Telecom Co. Ltd., Swisscom, TURKTRUST and TAIWAN-CA, Inc. It's part of a vast and larger commercial certificate authority global infrastructure with numerous sub-authorities operating in a root-based chain of trust. Outside this commercial certificate authority structure, governments and enterprises also use their own controlled certificate authority systems to issue and manage digital certificates for code-signing purposes.

Use of digital certificates for code-signing isn't as widespread as that for SSL, for example, but as detailed in the new White Paper on the topic from the industry group called the CA Security Council, code-signing is intended to assure the identity of software publishers and ensure that the signed code has not been tampered with.

Coclin, who is co-chair of the CAB Forum, says precise details about new anti-fraud measures for proofing the identity of those buying code-signing certificates from certificate authorities will be unveiled next month and subject to a 60-day comment period. These new proposed identity-proofing requirements will be discussed at a meeting planned in February at Google before any adoption of them.

The CAB Forum's code-signing group is expected to espouse changes related to security that may impact software vendors and enterprises that use code-signing in their software development efforts so the CAB Forum wants maximum feedback before going ahead with its ideas on improving security in certificate issuance.

Coclin points out that commercial certificate authorities today must pass certain audits done by KPMG or PricewaterhouseCoopers, for example. In the future, if new requirements say certificate authorities have to verify the identity of customers in a certain way and they don't do it properly, that information could be shared with an Internet browser maker like Microsoft, which makes the Internet Explorer browser. Because browsers play a central role in the certificate-based code-signing process, Microsoft, for example, could take action to ensure its browser and OS do not recognize certificates issued by certificate authorities that violate any new identity-proofing procedures. But how any of this shake out remains to be seen.

McAfee, which unlike Symantec doesn't have a certificate authority business unit and is not a member of the CAB Forum, last month at its annual user conference presented its own research about how legitimate certificates are increasingly being used to sign malware in order to trick victims into downloading malicious code.

"The certificates aren't actually malicious -- they're not forged or stolen, they're abused," said McAfee researcher Dave Marcus. He said in many instances, according to McAfee's research on code-signed malware, the attacker has gone out and obtained legitimate certificates from a company associated with top-root certificate authorities such as Comodo, Thawte or VeriSign. McAfee has taken to calling this the problem of "abused certificates," an expression that's not yet widespread in the industry as a term to describe the threat.

Coclin notes that one idea that would advance security would be to have a "code-signing portal" where a certificate authority could scan the submitted code to be checked for signs of malware before it was signed. He also said a good practice is hardware-based keys and security modules to better protect private keys used as part of the code-signing process.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecMicrosoftsecurityanti-malwareWide Area NetworkOracle

More about ComodoGlobalSignGoogleIDGInc.KPMGMcAfee AustraliaMicrosoftMozillaMozilla FoundationOpera SoftwareOraclePricewaterhouseCoopersSwisscomSymantecThawteTrustwaveVeriSign AustraliaWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place