Hello, welcome to the Friday, November 3rd, 2017 edition of the Sansonet Storm Center's Stormcast. My name is Johannes

Ulrich and I'm recording from Frankfurt, Germany. In the past, there have been few examples of

Malver that carried valid digital signatures from trusted developers.

One of the highest profile pieces of malware was probably Stuxnet, but researchers at the

University of Maryland took a closer look at digital signatures, looking at a large sample

of millions of pieces of malware that they obtained via

semantic and what they found is that there were actually a number of piece of malware that did carry

valid digital signatures out of this very large sample they found 325 signed pieces of malware. Now, 189 or about 60% of the samples

were properly signed. Probably even more concerning is that 136 samples did carry a digital signature that was malformed. Apparently a lot of

anti-malware will not scan a sample if it does carry a known signature, but the anti-malware

solution never verifies if the signature is valid for this particular sample.

So an attacker can essentially just copy, paste a signature from valid software to a malicious program

and the malicious program will now no longer be inspected by your anti-mailware solution. This is of course a real

big concern. The malware would probably still show up with an invalid signature once the user

starts it, but quite often you don't really want to get to the point where you allow the

user to make a decision whether or not this

particular piece of software is malicious. And as far as the valid signatures go, most of them

were caused by certificates or actually secret keys that were compromised. A couple of them

were also caused by infected developer workstations.

And sadly, many of the certificates that were based on these compromised secret keys

were never actually revoked.

And then, of course, there were also a few certificates, about a quarter of them that were issued by

...