Code signing – warm and fuzzy?

Couple of days ago I stumbled on an excellent article about the pitfalls of code signing!

https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/

Couple of excerpts:


"Now, researchers have presented proof that digitally signed malware is much more common than previously believed."

"Surprisingly, weaknesses in the majority of available AV programs prevented them from detecting known malware that was digitally signed even though the signatures weren't valid."

"The third key weakness in the code-signing ecosystem was the failure of certificate authorities to verify the identities of people applying for code-signing certificates. "

"Malware with the same digital DNA as Stuxnet—Duqu discovered in 2011 and the Duqu 2.0 that infected Kaspersky Lab's corporate network starting in 2014—also used code signing."


Just because an executable is code signed does not really tell much.  You can EDIT code signed executables and they will run just fine - assuming that you do not change the binary code that actually makes them run;)

You can protect your software by validating the code signature inside the application.  That way if the signature is tampered with, you can prevent the program from running.

Leave a Reply