Using a machine learning system, we analyzed 3 million software downloads, involving hundreds of thousands of internet-connected machines, and provide insights in this three-part blog series. In the first part of this series, we took a closer look at unpopular software downloads and the risks they pose to organizations. We also briefly mentioned the problem regarding code signing abuse, which we will elaborate on in this post.
Code signing is the practice of cryptographically signing software with the intent of giving the operating system (like Windows) an efficient and precise way to discriminate between a legitimate application (like an installer for Microsoft Office) and malicious software. All modern operating systems and browsers automatically verify signatures by means of the concept of a certificate chain.
Valid certificates are issued or signed by trusted certification authorities (CAs), which are backed up by parent CAs. This mechanism relies entirely and strictly on the concept of trust. We assume that malware operators are, by definition, untrustworthy entities. Supposedly, these untrustworthy entities have no access to valid certificates. However, our analysis shows that is not the case.Read More