The Market of Stolen Code-Signing Certificates Is Too Expensive for Most Hackers

Faybert

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,320
There's a thriving underground market for buying and selling code-signing certificates meant to help malware pass unnoticed by security scanners, but according to new research, the prices for such certificates are too high, and only a few hackers can't afford one.

It's been known for years that the hardest malware to detect is the one that's signed with certificates issued to well-known and established companies.

But for a long time, it's been believed —and rightfully so— that hackers got their hands on such certificates by stealing them from the networks of legitimate companies, their partners, or the Certificate Authorities (CAs) themselves.

......................
......................
.....................
......................
 
  • Like
Reactions: Weebarra, shmu26, AtlBo and 9 others
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
The important thing to remember about signing certificates is that, just like Bananas, they come in differing quality.

The lowest quality (and most available) is a certificate that anyone can get (one has to start somewhere) by paying a bit of cash and having some rinky-dink application. The credentials can then be sold to prepubescent Blackhat wannabe's who are easily impressed. These rarely get by anything and even if they do are almost immediately blacklisted,

The better quality certificates (which are stolen by targeted credential info stealers) are VERY expensive and are not traded very much. This is because the total revenue expected by selling it must exceed what would be determined to be had by releasing it by the thief.

The BEST quality certificates are as rare as Roc's teeth and are NEVER sold, but are put aside for the EndGame.

(not that I would know any of this as I am Kind and Gentle person...)
 
  • Like
Reactions: simmerskool, Weebarra, Azure and 8 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
cruelsister said:
The important thing to remember about signing certificates is that, just like Bananas, they come in differing quality.

The lowest quality (and most available) is a certificate that anyone can get (one has to start somewhere) by paying a bit of cash and having some rinky-dink application. The credentials can then be sold to prepubescent Blackhat wannabe's who are easily impressed. These rarely get by anything and even if they do are almost immediately blacklisted,

The better quality certificates (which are stolen by targeted credential info stealers) are VERY expensive and are not traded very much. This is because the total revenue expected by selling it must exceed what would be determined to be had by releasing it by the thief.

The BEST quality certificates are as rare as Roc's teeth and are NEVER sold, but are put aside for the EndGame.

(not that I would know any of this as I am Kind and Gentle person...)
Click to expand...
Sis, please, what determines the quality of a certificate?
I know of two levels:
1 false signatures that can be detected by any security software (or user) that takes the time and trouble to run a validation test. These false sigs are relatively easy to produce.

2 sigs that will pass a validation test. These are very rare, and home users will normally not encounter them.

How does this relate to your 3 quality levels of certificates?

EDIT: Okay, after reading the article in full, it seems there are three certificate signers whose certifications are on sale on the black market, in ascending order of reliability: 1 Comodo, 2 someone I don't know, 3 Symantec. Are those the three levels you referred to?
 
Last edited:
  • Like
Reactions: Weebarra, silversurfer, harlan4096 and 1 other person
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
First off, it really pertains to those product that will be cognizant of files that are signed (like a Trusted Vendors List).

1). Low quality would be a new company that just got a certificate (even if countersigned)- these will rarely make it on to a TVL until some track Record is seen. Remember anyone with a rinky-dink app can get a certificate if they are willing to pay for it. These are the stuff that are typically for sale on the DarkWeb.

2). A Quality certificate would be something like was see with CCLeaner and the stolen PiriForm cert. Obviously an issue, but as it is a pain to acquire (normally by info stealers on the Company'e website) these are usually directed against big time targets for specific reasons.

3). High quality would be certificates acquired (bribery is best here) from majors like Adobe, Oracle, etc. These will be saved for Armageddon.
 
  • Like
Reactions: simmerskool, Hector1, Weebarra and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
cruelsister said:
First off, it really pertains to those product that will be cognizant of files that are signed (like a Trusted Vendors List).

1). Low quality would be a new company that just got a certificate (even if countersigned)- these will rarely make it on to a TVL until some track Record is seen. Remember anyone with a rinky-dink app can get a certificate if they are willing to pay for it. These are the stuff that are typically for sale on the DarkWeb.

2). A Quality certificate would be something like was see with CCLeaner and the stolen PiriForm cert. Obviously an issue, but as it is a pain to acquire (normally by info stealers on the Company'e website) these are usually directed against big time targets for specific reasons.

3). High quality would be certificates acquired (bribery is best here) from majors like Adobe, Oracle, etc. These will be saved for Armageddon.
Click to expand...
Beautiful.
Can't wait for Armageddon.
 
  • Like
Reactions: Weebarra and harlan4096
You must log in or register to reply here.

Similar threads

oldschool
    • Like
    • Applause
    • +Reputation
The case for slowing down AI
Replies
5
Views
1,276
News Archive
oldschool
oldschool
Gandalf_The_Grey
    • Like
    • Applause
    • Thanks
Advice Request You Probably Don't Need a VPN
Replies
5
Views
2,193
VPN and DNS
xtrazone
X
enaph
    • Like
    • +Reputation
SolarWinds Blame Intern for Weak Password That Led to Biggest Attack in 2020
Replies
2
Views
2,109
News Archive
Wasar
Wasar

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top