nach oben

Erschienen in:

2021 | OriginalPaper | Buchkapitel

Certified Malware in South Korea: A Localized Study of Breaches of Trust in Code-Signing PKI Ecosystem

verfasst von : Bumjun Kwon, Sanghyun Hong, Yuseok Jeon, Doowon Kim

Erschienen in: Information and Communications Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Code-signing PKI ecosystems are vulnerable to abusers. Kim et al. reported such abuse cases, e.g., malware authors misused the stolen private keys of the reputable code-signing certificates to sign their malicious programs. This certified malware exploits the chain of the trust established in the ecosystem and helps an adversary readily bypass security mechanisms such as anti-virus engines. Prior work analyzed the large corpus of certificates collected from the wild to characterize the security problems. However, this practice was typically performed in a global perspective and often left the issues that could happen at a local level behind. Our work revisits the investigations conducted by previous studies with a local perspective. In particular, we focus on code-signing certificates issued to South Korean companies. South Korea employs the code-signing PKI ecosystem with its own regional adaptations; thus, it is a perfect candidate to make a comparison. To begin with, we build a data collection pipeline and collect 455 certificates issued for South Korean companies and are potentially misused. We analyze those certificates based on three dimensions: (i) abusers, (ii) issuers, and (iii) the life-cycle of the certificate. We first identify that the strong regulation of a government can affect the market share of CAs. We also observe that several problems in certificate revocation: (i) the certificates had issued by local companies that closed the code-signing business still exist, (ii) only 6.8% of the abused certificates are revoked, and (iii) eight certificates are not revoked properly. All of those could lead to extending the validity of certified malware in the wild. Moreover, we show that the number of abuse cases is high in South Korea, even though it has a small population. Our study implies that Korean security practitioners require immediate attention to code-signing PKI abuse cases to safeguard the entire ecosystem.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Moat: Model Agnostic Defense against Targeted Poisoning Attacks in Federated Learning

Nächstes Kapitel GAN-Based Adversarial Patch for Malware C2 Traffic to Bypass DL Detector

Nur mit Berechtigung zugänglich

PKI in Asia – Case Study and Recommendations: https://fidoalliance.org/wp-content/uploads/FIDO-UAF-and-PKI-in-Asia-White-Paper.pdf.

https://github.com/erocarrera/pefile.

https://docs.microsoft.com/en-us/windows/desktop/seccrypto/signtool.

https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck.

Internet world stats: https://www.internetworldstats.com/stats3.htm.

Provided by crosscert: https://www.crosscert.com/symantec/02_1_04.jsp.

https://www.yessign.or.kr.

What should i do with the annoying ads? (in Korean) https://www.donga.com/news/Economy/article/all/20140914/66399483/1. Accessed 03 Sept 2020

N. Korea fakes ‘code signing’ to spread spyware. KBS world radio. http://world.kbs.co.kr/service/news_view.htm?lang=e&Seq_Code=119375. Accessed 30 Aug 2020

To bypass code-signing checks, malware gang steals lots of certificates. ars technica. https://arstechnica.com/information-technology/2016/03/to-bypass-code-signing-checks-malware-gang-steals-lots-of-certificates/. Accessed 30 Aug 2020

Adobe. Electronic Signature Laws and Regulations - South Korea (2020). https://helpx.adobe.com/sign/using/legality-south-korea.html

Alrawi, O., Mohaisen, A.: Chains of distrust: towards understanding certificates used for signing malicious applications. In: WWW 2016, Republic and Canton of Geneva, Switzerland (2016)

Chai, S.-W., Min, K.-S., Lee, J.-H.: A study of issues about accredited certification methods in Korea. Int. J. Secur. Appl. 9(3), 77–84 (2015)

Code Signing Working Group. Minimum requirements for the issuance and management of publicly-trusted code signing certificates. Technical report (2016)

Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280. RFC Editor (May 2008). http://www.rfc-editor.org/rfc/rfc5280.txt

Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, Berkeley, CA, USA, pp. 605–620. USENIX Association (2013)

10.

Falliere, N., O’Murchu, L., Chien, E.: W32.Stuxnet dossier. Symantec Whitepaper (February 2011)

11.

Geater, J.: How to remove Kraddare. https://www.solvusoft.com/en/malware/potentially-unwanted-application/kraddare/

12.

Google: Announcing the first SHA1 collision (February 2017)

13.

Kim, D., Kwon, B. J., Dumitras, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 (2017)

14.

Kim, D., Kwon, B.J., Kozák, K., Gates, C., Dumitras, T.: The broken shield: measuring revocation effectiveness in the windows code-signing PKI. In: 27th USENIX Security Symposium, USENIX Security 2018. USENIX Association (2018)

15.

KLRI: Digital Signature Act, 2017. https://elaw.klri.re.kr/eng_service/lawView.do?hseq=42625&lang=ENG

16.

Kotzias, P., Bilge, L., Caballero, J.: Measuring PUP prevalence and pup distribution through pay-per-install services. In: Proceedings of the USENIX Security Symposium (2016)

17.

Kotzias, P., Matic, S., Rivera, R., Caballero, J.: Certified PUP: abuse in authenticode code signing. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015. ACM, New York (2015)

18.

Kozák, K., Kwon, B.J., Kim, D., Gates, C., Dumitraş, T.: Issued for abuse: measuring the underground trade in code signing certificate. In: 17th Annual Workshop on the Economics of Information Security (WEIS) (2018)

19.

Kwon, B.J., Srinivas, V., Deshpande, A., Dumitras, T.: Catching worms, trojan horses and pups: unsupervised detection of silent delivery campaigns. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017 (2017)

20.

Microsoft: Microsoft security advisory: update for deprecation of MD5 hashing algorithm for Microsoft root certificate program, 13 August 2013

21.

Microsoft: Trojan:win32/delf. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Delf

22.

Microsoft: Trojan:win32/kraddare. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Kraddare

23.

Microsoft: Win32/onescan. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=win32%2Fonescan

24.

Microsoft: Erroneous VeriSign-issued Digital Certificates Pose Spoofing Hazard (2001)

25.

Microsoft: Windows Authenticode portable executable signature format (March 2008). http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx

26.

Morowczynski, M.: SHA-1 deprecation and changing the root CA’s hash algorithm (2018)

27.

Niemela, J.: It’s Signed, therefore it’s Clean, right? (2010)

28.

NLIC: Electronic Financial Transaction Act, 2017. http://www.law.go.kr/eng/engLsSc.do?menuId=1&query=electronic+financial+transactions+act&x=0&y=0#liBgcolor0

29.

Park, H.M.: The web accessibility crisis of the Korea’s electronic government: fatal consequences of the digital signature law and public key certificate. In: 2012 45th Hawaii International Conference on System Sciences, pp. 2319–2328. IEEE (2012)

30.

Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_11CrossRef

31.

Swiat: Flame malware collision attack explained (June 2012)

32.

Wood, M.: Want my autograph? The use and abuse of digital signatures by malware. In: Virus Bulletin Conference, September 2010, pp. 1–8 (September 2010)

33.

Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement, IMC 2009. ACM (2009)

Titel: Certified Malware in South Korea: A Localized Study of Breaches of Trust in Code-Signing PKI Ecosystem
verfasst von: Bumjun Kwon
Sanghyun Hong
Yuseok Jeon
Doowon Kim
Verlag: Springer International Publishing
Buch: Information and Communications Security
Print ISBN: 978-3-030-86889-5

Electronic ISBN: 978-3-030-86890-1

Copyright-Jahr: 2021
DOI: https://doi.org/10.1007/978-3-030-86890-1_4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner