McAfee Focus 2013

McAfee Focus 2013: Digitally signed malware a fast-growing threat, say researchers

Warwick Ashford

Digitally signed malware is a fast-growing threat that is aimed at bypassing whitelisting and sandboxing security controls, say security researchers.

“We found 1.2 million pieces of new signed malware in the last quarter alone,” said David Marcus, director of advanced research and threat intelligence at McAfee.

Focus13.jpg

This is malware that is signed using legitimate digital certificates that have not been stolen or forged, but acquired from certificate authorities (CAs) or their sub-contractors, he said.

Analysis of McAfee’s malware database revealed that the most commonly abused certificates, by volume, are issued by Thawte, Comodo and Verisign, he told attendees of McAfee Focus 2013 in Las Vegas.

“Attackers know that whitelisting and sandboxing security controls let through anything with a legitimate digital certificate, so that is what they do for their malware,” Marcus told Computer Weekly.

This can be addressed, at least partially, by subscribing to a CA reputation service, said James Wolfe, chief security engineer ePO at Lockheed Martin.

But there is no quick fix for this problem so businesses need to be aware they can no longer assume that digitally signed software is safe, said Marcus,.

The only way to solve this properly is for security companies and CAs to work closely together to ensure that any certificates being abused by malware writers are identified and revoked quickly, he said.

In the meantime, said Wolfe, information security professionals should not trust any new binary, even if it is signed, and should run all new binaries through a sandbox to check they are not malicious.

Digitally signed malware threat growing fast

The threat is big and growing rapidly. McAfee research has found that signed malware accounted for only 1.3% of all new malware in 2010, but increased to 2.9% in 2011 and 6.6% in 2012.

“These were big jumps of 136% and 393%,” said Marcus, and the pace is only accelerating. In just the first nine months of 2013, signed malware was up 20% on the figure for the whole of 2012.

The fastest growth has been in digitally signed Android malware that accounts for 24% of all digitally signed malware, compared with just 5.2% for PC malware.

“From 2010 to 2011, signed Android malware shot up by 1,412%,” said Marcus.

As a security measure, all Android apps need to be signed before they are allowed in the app store. “To get around this, malware writers are simply getting digital certificates for their malware,” he said.

Digitally signing malware means that it can fly under the radar of most organisations using whitelisting technology.

“This strategy gives a new meaning to the term advanced persistent threat (APT),” said Wolfe. “It enables sniper rifle targeting."

In the light of this discovery, businesses need to realise that signed files are not necessarily any safer than other files and plan accordingly, said Marcus.

“It is important to take control of device policy settings and apps,” he said.

Marcus also advises that security practitioners understand the limitations of sandboxing and whitelisting technologies and take that into account.

“Businesses using whitelisting should ensure they have the ability to revoke certificates on a daily basis, if necessary,” he said.

Longer term, he said the research around signed malware has great potential and future security products are likely include certificate reputation as a means for identifying potential malware.

“Short term, large organisations may even want to consider setting up an internal CA so they can sign all the code they are running,” said Marcus.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy