Researchers unmask trade in code-signing certs
There's a flourishing trade in illicit code-signing certificates, and even extended validation certificates can be purchased for a few thousand dollars.
That's the conclusion of a study by American and Czech researchers, with input from Symantec Labs (the company's technical director Christopher Gates is a co-author).
The
research found that the success of Microsoft's Windows Defender SmartScreen has forced attackers to change tactics. Once, malware authors would seek out code-signing certificates that had been compromised. During 2017, however, paper says “these methods have become secondary to purchasing certificates from underground vendors”.
The paper cited platform protections like SmartScreen as driving this change.
During 2017, the researchers followed the fortunes of “four leading vendors of code-signing certificates”. One seller turned over a new certificate every couple of days, and for around 50 code-signing certificates they generated US$16,150, suggesting individual certificates are only worth a few hundred each.
That might not be enough to defeat Windows Defender SmartScreen, however. As the paper explained, when SmartScreen encounters a certificate for the first time, it doesn't have a reputation associated with the cert so will raise a warning the user has to click-through during installation.
