The Market of Stolen Code-Signing Certificates Is Too Expensive for Most Hackers

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,318
There's a thriving underground market for buying and selling code-signing certificates meant to help malware pass unnoticed by security scanners, but according to new research, the prices for such certificates are too high, and only a few hackers can't afford one.

It's been known for years that the hardest malware to detect is the one that's signed with certificates issued to well-known and established companies.

But for a long time, it's been believed —and rightfully so— that hackers got their hands on such certificates by stealing them from the networks of legitimate companies, their partners, or the Certificate Authorities (CAs) themselves.

......................
......................
.....................
......................
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
The important thing to remember about signing certificates is that, just like Bananas, they come in differing quality.

The lowest quality (and most available) is a certificate that anyone can get (one has to start somewhere) by paying a bit of cash and having some rinky-dink application. The credentials can then be sold to prepubescent Blackhat wannabe's who are easily impressed. These rarely get by anything and even if they do are almost immediately blacklisted,

The better quality certificates (which are stolen by targeted credential info stealers) are VERY expensive and are not traded very much. This is because the total revenue expected by selling it must exceed what would be determined to be had by releasing it by the thief.

The BEST quality certificates are as rare as Roc's teeth and are NEVER sold, but are put aside for the EndGame.

(not that I would know any of this as I am Kind and Gentle person...)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
The important thing to remember about signing certificates is that, just like Bananas, they come in differing quality.

The lowest quality (and most available) is a certificate that anyone can get (one has to start somewhere) by paying a bit of cash and having some rinky-dink application. The credentials can then be sold to prepubescent Blackhat wannabe's who are easily impressed. These rarely get by anything and even if they do are almost immediately blacklisted,

The better quality certificates (which are stolen by targeted credential info stealers) are VERY expensive and are not traded very much. This is because the total revenue expected by selling it must exceed what would be determined to be had by releasing it by the thief.

The BEST quality certificates are as rare as Roc's teeth and are NEVER sold, but are put aside for the EndGame.

(not that I would know any of this as I am Kind and Gentle person...)
Sis, please, what determines the quality of a certificate?
I know of two levels:
1 false signatures that can be detected by any security software (or user) that takes the time and trouble to run a validation test. These false sigs are relatively easy to produce.

2 sigs that will pass a validation test. These are very rare, and home users will normally not encounter them.

How does this relate to your 3 quality levels of certificates?

EDIT: Okay, after reading the article in full, it seems there are three certificate signers whose certifications are on sale on the black market, in ascending order of reliability: 1 Comodo, 2 someone I don't know, 3 Symantec. Are those the three levels you referred to?
 
Last edited:

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
First off, it really pertains to those product that will be cognizant of files that are signed (like a Trusted Vendors List).

1). Low quality would be a new company that just got a certificate (even if countersigned)- these will rarely make it on to a TVL until some track Record is seen. Remember anyone with a rinky-dink app can get a certificate if they are willing to pay for it. These are the stuff that are typically for sale on the DarkWeb.

2). A Quality certificate would be something like was see with CCLeaner and the stolen PiriForm cert. Obviously an issue, but as it is a pain to acquire (normally by info stealers on the Company'e website) these are usually directed against big time targets for specific reasons.

3). High quality would be certificates acquired (bribery is best here) from majors like Adobe, Oracle, etc. These will be saved for Armageddon.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
First off, it really pertains to those product that will be cognizant of files that are signed (like a Trusted Vendors List).

1). Low quality would be a new company that just got a certificate (even if countersigned)- these will rarely make it on to a TVL until some track Record is seen. Remember anyone with a rinky-dink app can get a certificate if they are willing to pay for it. These are the stuff that are typically for sale on the DarkWeb.

2). A Quality certificate would be something like was see with CCLeaner and the stolen PiriForm cert. Obviously an issue, but as it is a pain to acquire (normally by info stealers on the Company'e website) these are usually directed against big time targets for specific reasons.

3). High quality would be certificates acquired (bribery is best here) from majors like Adobe, Oracle, etc. These will be saved for Armageddon.
Beautiful.
Can't wait for Armageddon.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top