Sunbeltblog comments
There are also several other "signed" malware pieces out there. A trojan being signed by a "GENUINE SOFTWARE UPDATE LIMITED" (yes, it's a real one) wouldn't give a false sense of security to the user? Of course it would.
Gromozon is a major one, and one of the worst ever created, of course. There are many people who believe that "signed malware" existence is very rare, if possible at all:
http://groups.google.com/group/
m...26511ddae6644ea
This just shows how wrong they are.
And then there's the story of the company named "CLICK YES TO CONTINUE" that got a Verisign code signing cert
http://www.eweek.com/article2/
0,...,1767871,00.asp
nice...
This may not be as breaking a story as it sounds, I'm afraid.
Seems it was noted last year:
http://www.dslreports.com/forum/
...remark,16703051
None the less, still disturbing
No, the software is NOT signed by Thawte! The software is signed by "Newtech Inc." Thawte has issued a certificate to Newtech Inc, that allows Newtech Inc. to sign their own software, and take responsibility for their own software.
The issuer of the certificate (Thawte) typically never sees the software that is signed by the party to whom the certificate is issued. The issuer's job is to identify the party whom they name in the certificate they issue.
A certificate doesn't mean "this software is good". It means "this software comes from someone who is well identified and can be held accountable for it." Thawte isn't saying "this software is good". They're saying "This software comes from Newtech." Thawte doesn't say "This company is good". Instead they say "This company is real, and really is the source of this software."
If you have a beef with the software, you can hold Newtech responsible. The value to you of the certificate is that you have high confidence that the source really is Newtech, and not someone pretending to be someone else.
As a user, the certificate tells you who is really the source of the software you are contemplating to use. You should look at the cert and ask "Is the source of this software someone I know and trust?" You should not say "Oh, this software was signed by somebody, so that somebody must be good".
TeMerc, yeah, I've personally been aware about it for several months that some of the gromozon files are signed.
What prompted me to take this out of the closet is the realization that several people STILL believe that signed malware is not out there, or that at most the signed ones are bland adware. This was somewhat reinforced by discussions like this:
https://www.blogger.com/
comment.g...937402281300728
Hello? "I realize that in the real world it would be very hard to keep a trusted certificate if you're distributing malware"... yeah, try several months and still no sign of revocation. And we're talking about what might well be THE WORST spyware ever created.
"First of all, it can be hard - ever tried to get a Symbian S60 R3 executable or a Vista driver signed? Second, even if it is not, it would still mean that any malware author will be able to produce only one signed malware program. Third, it will mean that the author is traceable instead of anonymous as it is now"...
No comment on this one... those two pictures are worth more than a 1000 words.
"No, the software is NOT signed by Thawte! The software is signed by "Newtech Inc." Thawte has issued a certificate to Newtech Inc, that allows Newtech Inc. to sign their own software, and take responsibility for their own software."
Yes, that's how it works. We're aware of that, thanks.
"A certificate doesn't mean "this software is good". It means "this software comes from someone who is well identified and can be held accountable for it.""
Yes, we're aware of this too, thanks. The point is that the signature guarantees nothing. Thawte didn't create the software themselves, and so they didn't sign it as belonging to Thawte. Nevertheless, having this file signed or not for the user CHANGES ABSOLUTELY NOTHING. Because the user knows nothing about the company that signed it.
As "even if it is not, it would still mean that any malware author will be able to produce only one signed malware program", I have no idea what the hell that's supposed to mean... we have several gromozon files, all signed, and all with different checksum.
And for the traceability, I challenge anybody to find some information about this "Newtech Inc." of Panama...
This discussion is even more pointless considering the PR from Thawte:
# Gives your users recourse to the person who published it
# Promotes the Internet as a secure and viable platform for content distribution
# Has the benefit of thawte's world-class certification procedures
# Inspires user confidence
Link:
http://www.thawte.com/ssl-digita...cts-
codesigning
"Inspires user confidence" is particularly hilarious. Hey, it inspires confidence, no wonder Internet criminal choose to have their stuff signed.
And another thought before I'm done. How can you trust the average user to understand that the digital signature has ZERO value when it comes to tell whether file will be malicious or not, when even people who are in the security business make the same mistake (trusting digitally signed files "more"), as shown above?
Good that is being revoked.
Still, you can't assume that the authenticity certificates do ANYTHING apart from certifying that the file has not been altered by a third party. They say nothing about the file being benign, and the say nothing about the signing party being trustworthy.
So maybe some people should stop assuming they do.
Apparently some folks here have the expectation that if a company signs malware, the issuer of their cert is obligated to revoke their cert. That's certainly not the typical obligation of a cert issuer.
A cert issuer revokes a cert when it becomes evident that someone other than the party named in the cert (the "subject") is able to sign things with it, or the subject party admits that they've lost exclusive control of the private key. In other words, when a signature that is verifiable with that cert no longer means that the subject party actually signed the code, then the cert gets revoked.
Perhaps some issuers have agreements with their subjects (with the people to whom they issue certs) that allow the issuers to revoke certs if they've been used to sign malware, but I suspect that's pretty rare. That might make the issuer liable for the malware, and no issuer wants to be liable for the stuff that a subject signs.
MisterSSL the point is that for the end user this deals with security only if (a) the end user already trusts the signing party and (b) understand the concept behind the signature. In the vast majority of cases, this is not true.
Yet some people seem to forget that, and advocate digital code signatures from authorities like Thawte as if they're able to keep away malicious code from the end user's computer. This came out when a few claimed the so-called "superiority" of Internet Explorer to Firefox for the end user because Internet Explorer could verify ActiveX signatures and Firefox didn't verify the extensions. As you can see, the ActiveX signatures mean nothing to the end user, because he doesn't know what he can trust.
The digital signatures might prevent code from being run if a malicious third party modified a legitimate program, but they won't keep out malicious code that was specifically created by malicious parties.
I don't expect the average users to be aware of this, but I expect people who work in computer security-related jobs to.
MisterSSL claims that it is "rare" that a cert issuer has an agreement with its subjects allowing revocation for signing malware. I haven't made comparisons across all cert issuers, but from what I've seen so far, such an agreement is actually quite typical.
In http://www.benedelman.org/news/0...s/020305-
1.html , I cited the VeriSign rules that let VeriSign revoke certs for malware. See section "Why VeriSign Should Get Involved."
As to Thawte: Thawte's Code Signing Certificate Subscriber Agreement, http://www.thawte.com/en/
reposit...t_agreement.pdf , requires each code signing recipient to certify that its software "has not been and will not be used for any unlawful purpose" (8.2.iv.) and that "you will use your Certificate exclusively for authorized and legal purposes" (8.2.vii.). Provision 5.ii specifically allows Thawte to revoke a certification if a recipient fails to live up to its obligations.
So, MisterSSL, I think Thawte actually has ample basis to withdraw the Gromozon certs if it so chooses. I take Alex's initial post to suggest that Thawte ought to do so. I agree.
Ben Edelman beat me to it. Maybe it's rare, but it's happened before and the rules behind it are typical. The "CLICK YES TO CONTINUE" example I cited above was uncovered by Mr. Edelman.
Note this was also used in the more controversial case of Atsiv.
Thanks for clarifying, Mr. Edelman.
So as it comes, this was actually even worse than I imagined as Thawte's license agreement states that certificates can't be release to sign software used for any illegal purposes, yet that's exactly what happened.
Now that this is clear I will definitely take a look at several other malware pieces that we posses which are still digitally signed and are clearly installed through deceptive or illegal means.
TNT wrote:
"And for the traceability, I challenge anybody to find some information about this "Newtech Inc." of Panama..."
Since Thawte issued them a cert, I would assume they have some contact information for Newtech Inc. Perhaps Thawte ought to make that info known so the malware purveyors can be brought to justice.
Taking a wild guess:
Jimmy Mc FakeName,
10 Fakepants Lane
Faketown
1-800-fake-lol
>A certificate doesn't mean "this software is good". It means "this software comes from someone who is well identified and can be held accountable for it." Thawte isn't saying "this software is good". They're saying "This software comes from Newtech." Thawte doesn't say "This company is good". Instead they say "This company is real, and really is the source of this software."
The whole signing model breaks down anyway when you think like a criminal. Want a certificate? Steal it by grabbing it via one of your backdoor trojan stealers. Visual Studio makes it easier to apply a signing cert from a file. And who wants to enter a password for each build component that gets signed. Therefore ... a developer cert ripe for the stealing.
But, the dev was smart enough not to leave the cert lying around in a file? The crim could just sign 1000 mutations of his virus via his trojan backdoor on the dev's system and be ready to deploy with his pseudo-polymorphic signed virus.
Meanwhile the only party you can lay a finger on is also a victim.
There's a theoretical case for what Certificate Distruster describes, but I don't know of it ever actually happening. After years of bots and code signing I don't think it's worth worrying about.
Before Slammer, who needed to firewall off the SQL port, or who thought it important to patch?
The compromised Cert scenario becomes more likely as it becomes ever more difficult to get Vista or Vista 64 to accept unsigned code. Bottom line, never automatically trust all code signed by any company, including Microsoft.
CD, that's nuts. Microsoft writes the OS. You have to trust them.
Perhaps I misspoke - I have no problem trusting Microsoft; I just don't automatically trust all certificates signed by Microsoft. Automatically trusting all certificates from a publisher removes a layer of security, and increases the possibility of a silent "drive by" download.
http://www.microsoft.com/technet...n/MS01-
017.mspx
Commenting by HaloScan
