跳到主体内容

Admin Alert: Kaspersky Lab Reported Twice as Many Digital Certificates Used to Sign Malware in 2014

2015年1月29日

According to Kaspersky Lab the number of untrusted certificates used to sign malicious software doubled in the last year. By the end of 2014 the company’s antivirus database included more than 6,000 of these certificates. Considering the growing amount of threats related to signing malicious files our experts advise system administrators and users not to trust digital signatures without question and not to allow signed files to launch purely on the strength of the signature

According to Kaspersky Lab the number of untrusted certificates used to sign malicious software doubled in the last year. By the end of 2014 the company’s antivirus database included more than 6,000 of these certificates. Considering the growing amount of threats related to signing malicious files our experts advise system administrators and users not to trust digital signatures without question and not to allow signed files to launch purely on the strength of the signature.

"Virus writers steal and imitate valid signatures to reassure the users and anti-virus solutions that the file is safe. Kaspersky Lab has seen this technique used by advanced persistent threat actors for several years,” said Andrey Ladikov, Head of Strategic Research at Kaspersky Lab. 

The notorious Stuxnet worm used certificates stolen from Realtek and JMicron. The Winnti gang stole certificates  from compromised gaming companies and re-used them in new attacks. Moreover, there are examples of the same certificates being used in attacks launched by other groups of Chinese hackers, suggesting the existence of an underground market. The Darkhotel gang usually signed its backdoors  with digital certificates and apparently had access to the secret keys needed to create fake certificates.

To reduce the risk of launching new malware that virus scanners do not recognize and that your computer believes is backed up by a valid digital certificate, it is essential to maintain increased control over signed files with appropriate antivirus protection and comply with security policies:

  1. Impose a ban on launching programs that are digitally signed  by an unknown  software vendor: most stolen certificates originate from small developers
  2. When encountering certificates from unknown certification centers, do not install them in the storage. 
  3. Do not grant permission to launch programs signed by trusted certificates purely based on the name of the certificate. Check other attributes such as the serial number and the certificate fingerprint (hash sum)
  4. Install the Microsoft MS13-098 update - it eliminates the error that can include additional data in the signed file without violating the file signature. 
  5. Use an antivirus solution that has its own database of trusted and untrusted certificates.

To learn more, please read the blog post available at Securelist.com.

Admin Alert: Kaspersky Lab Reported Twice as Many Digital Certificates Used to Sign Malware in 2014

According to Kaspersky Lab the number of untrusted certificates used to sign malicious software doubled in the last year. By the end of 2014 the company’s antivirus database included more than 6,000 of these certificates. Considering the growing amount of threats related to signing malicious files our experts advise system administrators and users not to trust digital signatures without question and not to allow signed files to launch purely on the strength of the signature
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻