A digital signature applied to an object is meant to verify that the object comes from a known source, and also that the file has not been tampered with subsequently. In addition, the source of the software would have been registered with a well-known certificate authority which confers on the source an aura of legitimacy, and thus a vicarious trust on the signed object.
The mere presence of a digital signature, however, does not intend that the file in question is clean. Malware authors can and do exploit the misconception of trust associated with digital signatures to defraud the user into running their wares. The Zeus family of malware, for example, used self-signed certificates masquerading as a certificate from a legitimate company. The Stuxnet malware generated digital signatures using stolen private keys.
When legitimately signed software exhibit questionable behaviour, it leads to complications. Such applications come from software distributors who digitally sign their code and make it appear clean by bundling them with other legitimate applications. A colleague from the Anti-Virus community had recently blogged about one such software distributor – Pinball Corp., whose software displays dubious behaviour. The software comes bundled with installers for legitimate media related software like:
- XVid Codec
- FLV Codec
- VLC Player etc.
At K7TCL, we’ve been noticing that these digitally signed installers come with a new checksum almost everyday over the last couple of months, and that this trend is still continuing. One wonders why a company claiming to distribute legitimate applications would employ:
- Server-side polymorphism – A technique used by malware authors to avoid being detected by security vendors
- Missing codec scam – A social engineering technique used by malware authors to lure victims into running files
The ethical use of digital signatures states that a digital certificate can be revoked if mis-representation of software behaviour is suspected. But what constitutes this mis-representation? It seems that either the certificate issuing authority is unaware of this abuse, or perhaps it is aware, but is unwilling to act upon it. Either way, the security vendors may be left with no choice but to take matters into their own hands. These files, despite having a legitimate digital signature, are detected as Adware/Spyware by most Anti-Virus vendors.
Lokesh Kumar
K7 TCL
