An alarming growth in malware signed with fraudulently obtained keys and code-signing certificates in order to trick users to download harmful code is prompting Microsoft and Symantec to push for tighter controls in the way the world's certificate authorities issue these keys used in code-signing.
It's not just stolen keys that are the problem in code-signed malware but "keys issued to people who aren't who they say they are," says Dean Coclin, senior director of business development in the trust services division at Symantec.
Coclin says China, Brazil, and South Korea are the hot spots today where the problem of malware signed with certificates and keys obtained from certificate authorities is the worst right now. "We need a uniform way to vet companies and individuals around the world," says Coclin. He says that doesn't really exist today for certificates used in code-signing, but Microsoft and Symantec are about to float a plan that might change that.
Code-signed malware appears to be aimed mostly at Microsoft Windows and Java, maintained by Oracle, says Coclin, adding that malicious code-signing of Android apps has also quickly become a lawless "Wild West."
Real full story | PCWorld