Signed Malware

[upnorth]

The two legitimate signing certificates Stuxnet used to bypass Windows protections.

Quote : " Stuxnet famously used legitimate digital certificates to sign its malware. A research paper from last year found that the practice is much more common than previously thought.

Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What's more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. "

" The results are significant because digitally signed software is often able to bypass User Account Control and other Windows measures designed to prevent malicious code from being installed. Forged signatures also represent a significant breach of trust because certificates provide what's supposed to be an unassailable assurance to end users that the software was developed by the company named in the certificate and hasn't been modified by anyone else. The forgeries also allow malware to evade antivirus protections. "

 

[upnorth]

Quote : " Dangerous root certificates are a serious problem. From Lenovo’s Superfish to Dell’s eDellRoot and a number of other certificates installed by adware programs, your computer’s manufacturer or a program you installed may have added a certificate that opens you to attack. Here’s how to check if your certificates are clean. "

Source : How to Check for Dangerous, Superfish-Like Certificates on Your Windows PC

Sigcheck v2.60 : Sigcheck - Windows Sysinternals

 

[Windows_Security]

A few hundred samples since 20003 with valid signatures against a few hundred thousand unsigned samples a day

With the insights of the posted articles (thx @upnorth) this is by far the simplest attack surface reduction tweak I know

Save below the line as "Block_unsigned_elevation.reg"
____________________________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

____________________________________________________

You can still run unisgned software, but you can't install unsigned software
(you will get this prompt when unsigned software wants to install/elevate to admin rights,
which is probably one of Microsoft's best self explaining prompts ever not)

Just run the registry file below (save as Allow_unsigned_elevation.reg) when you want to install it
(don't forget to switch back to blocking unsigned elevation)
____________________________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000000

____________________________________________________

 

[TairikuOkami]

A few hundred samples since 20003 with valid signatures against a few hundred thousand unsigned samples a day

Not even few hundreds with a valid signature.

The trio researchers—Doowon Kim, BumJun Kwon and Tudor Dumitras from the University of Maryland, College Park—said they found a total of 325 signed malware samples, of which 189 (58.2%) carried valid digital signatures

The Rise of Super-Stealthy Digitally Signed Malware—Thanks to the Dark Web

this is by far the simplest attack surface reduction tweak I know

Indeed and combined with disabled scripting used for an elevation bypass, it is almost unbeatable by malware. Even powershell uses a little scripting to start.

reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f

 

[Windows_Security]

@TairikuOkami Yes, I just like to have them in registry files so I can switch them on and off,

 

[Deleted member 65228]

Digitally signed malware will rise over the next few years in my opinion.

Malware authors can obtain stolen digital signatures on various hacking forums, some services still provide individual licenses, and other times there are offered services for someone to purchase a certificate on their behalf, likely using fake/proxy identities.

Thankfully, Secure Boot enforces a Microsoft co-signed certificate (requiring an Extended Validation certificate prior to the co-sign) for kernel-mode software, which is a hell of a lot trickier for a malware author to obtain. Although likely irrelevant since ransomware, banking malware and crypto-currency mining is the trend in the malware industry as of right now.

Malware authors can also make it appear that a PE was digitally signed but the certificate won't be genuine/valid and thus it won't be trusted/verified. It's recommended to check on these characteristics instead of blindly trusting a digital certificate, as well. I've seen a few samples in the wild doing this as of lately.

 

[shmu26]

Quote : " Dangerous root certificates are a serious problem. From Lenovo’s Superfish to Dell’s eDellRoot and a number of other certificates installed by adware programs, your computer’s manufacturer or a program you installed may have added a certificate that opens you to attack. Here’s how to check if your certificates are clean. "

Source : How to Check for Dangerous, Superfish-Like Certificates on Your Windows PC

Sigcheck v2.60 : Sigcheck - Windows Sysinternals

Very nice tool, thanks!

 

[show-Zi]

Real-time protection by signature and pattern matching may already be outdated. I think that it is necessary to take measures such as sandboxes and rollbacks premised on infection.

 

[upnorth]

sigverif.exe is also a nice tool that I can recommend and this is built-in all Windows version 7,8 and 10. How to use it and more information here :

Identify unsigned drivers using sigverif utility in Windows 10

I belive it also exist in XP and Vista.

 

[TairikuOkami]

You can always easily reset certificates.

net stop cryptSvc /y
takeown /f "%WINDIR%\System32\catroot2" /a
icacls "%WINDIR%\System32\catroot2" /grant:r Administrators:F /c
ren "%WINDIR%\System32\catroot2" "catroot2.bak"
net start cryptSvc /y

Upon starting the service, new certificates will be re-downloaded, you might notice a higher CPU/HDD usage.
You will not be able to perform any admin actions till it is done, so in case of problems, just restore the backup.

ren "%WINDIR%\System32\catroot2.bak" "catroot2"

What is Catroot & Catroot2 folder? How do you reset catroot2 folder

 

[ForgottenSeer 69673]

Thanks upnorth
sigverif.exe is much easier to use then sigcheck.

 

[shmu26]

Thanks upnorth
sigverif.exe is much easier to use then sigcheck.

They are not doing the same thing, though. Sigverif is checking drivers, whereas sigcheck is checking certificates. Two different things.

 

[ForgottenSeer 69673]

They are not doing the same thing, though. Sigverif is checking drivers, whereas sigcheck is checking certificates. Two different things.

Ok thanks for the explanation. I just ran Sigverif and it appears besides checking sys files, it checks exe's and dll's plus a few other extentions.