Trusted certificates play an important role for security and trust in computing. Certificate Authorities (CAs) verify the identity of individuals and organizations, and issue them certificates that can be used to prove their identity and validate the content for applications such as secure websites (TLS) or in code-signing of executables or installer packages. These certificates are a great way to build user trust and they effect a lot of user experiences - such as how warning dialogs are presented to the user when a file is downloaded from the web. Similarly, code-signing can affect the underlying decision process from AV vendors as to whether a file is clean or malicious. Although generally a tool for good, certificates issued by CAs are in some cases stolen, or issued directly to the malware attackers. In this presentation we will be presenting a trend where we are seeing a rise in malware actors repeatedly being issued digital certificates directly from the CAs.
During the presentation we will start with a simple background to digital certificates and their corresponding CAs. We will then present two recent malware cases (Trojan:Win32/Kovter and TrojanClicker:Win32/NightClick) where the malware authors are repeatedly being directly issued trusted certificates and how they are abusing these certificates. Looking at the root of the problem, we will then look at how the identity validation process works in CAs and how we believe these malware attackers are subverting the verification process to receive their own certificates. Finally, we will discuss and brainstorm on the future of code-signing and its role in the AV industry.