Doowon Kim
Tudor Dumitraş
ABSTRACT
Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures. It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape. In particular, the methods, effectiveness window, and security implications of code-signing PKI abuse are not well understood. We propose a threat model that highlights three types of weaknesses in the code-signing PKI. We overcome challenges specific to code-signing measurements by introducing techniques for prioritizing the collection of code signing certificates that are likely abusive. We also introduce an algorithm for distinguishing among different types of threats. These techniques allow us to study threats that breach the trust encoded in the Windows code signing PKI. The threats include stealing the private keys associated with benign certificates and using them to sign malware or by impersonating legitimate companies that do not develop software and, hence, do not own code-signing certificates. Finally, we discuss the actionable implications of our findings and propose concrete steps for improving the security of the code-signing ecosystem.
Supplemental Material
- 2017. Convergence. https://github.com/moxie0/Convergence. (2017).Google Scholar
- Omar Alrawi and Aziz Mohaisen. 2016. Chains of Distrust: Towards Understanding Certificates Used for Signing Malicious Applications. In Proceedings of the 25th International Conference Companion on World Wide Web (WWW '16 Companion). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 451--456. https://doi.org/10.1145/ 2872518.2888610Google Scholar
- Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2016. Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 628--640. https://doi.org/10.1145/2976749.2978301 Google ScholarDigital Library
- Tudor Dumitra s , and Darren Shou. 2011. Toward a Standard Benchmark for Computer Security Research: The Worldwide Intelligence Network Environment (WINE). In EuroSys BADGERS Workshop. Salzburg, Austria.Google Scholar
- Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halder- man. 2015. A Search Engine Backed by Internet-Wide Scanning. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 542--553. https://doi.org/10.1145/2810103.2813703Google Scholar
- Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and Vern Paxson. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, New York, NY, USA, 475--488. https://doi.org/10.1145/2663716.2663755 Google ScholarDigital Library
- Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. 2013. Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 2013 Confer- ence on Internet Measurement Conference (IMC '13). ACM, New York, NY, USA, 291--304. https://doi.org/10.1145/2504730.2504755 Google ScholarDigital Library
- Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In Proceedings of the 22Nd USENIX Conference on Security (SEC'13). USENIX Association, Berkeley, CA, USA, 605--620. http://dl.acm.org/citation.cfm?id=2534766.2534818Google Scholar
- Sascha Fahl, Sergej Dechand, Henning Perl, Felix Fischer, Jaromir Smrcek, and Matthew Smith. 2014. Hey, NSA: Stay Away from My Market! Future Proofing App Markets Against Powerful Attackers. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 1143--1155. https://doi.org/10.1145/2660267.2660311 Google ScholarDigital Library
- Nicholas Falliere, Liam O'Murchu, and Eric Chien. 2011. W32.Stuxnet Dossier. Symantec Whitepaper. (February 2011). http://www.symantec.com/content/en/ us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdfGoogle Scholar
- DAN GOODIN. 2015. Stuxnet spawn infected Kaspersky using stolen Fox- conn digital certificates. (Jun 2015). https://arstechnica.com/security/2015/06/stuxnet-spawn-infected-kaspersky-using-stolen-foxconn-digital-certificates/Google Scholar
- Google. 2017. Announcing the first SHA1 collision. (February 2017). https: //security.googleblog.com/2017/02/announcing-first-sha1-collision.htmlGoogle Scholar
- P. Hoffman and J. Schlyter. 2012. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698. RFC Editor. http://www.rfc-editor.org/rfc/rfc6698.txt http://www.rfc-editor.org/rfc/rfc6698.txt.Google Scholar
- Ralph Holz, Lothar Braun, Nils Kammenhuber, and Georg Carle. 2011. The SSL landscape: a thorough analysis of the x. 509 PKI using active and passive measurements. In Proceedings of the 2011 ACM SIGCOMM conference on Internet mea- surement conference. ACM, 427--444. http://dl.acm.org/citation.cfm?id=2068856 Google ScholarDigital Library
- Lin Shung Huang, Alex Rice, Erling Ellingsen, and Collin Jackson. 2014. Analyzing forged SSL certificates in the wild. In Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 83--97. http://ieeexplore.ieee.org/xpls/abs_all.jsp? arnumber=6956558Google ScholarDigital Library
- Burt Kaliski. 1998. PKCS #7: Cryptographic Message Syntax Version 1.5. RFC 2315. RFC Editor. http://www.rfc-editor.org/rfc/rfc2315.txt http://www.rfc-editor.org/ rfc/rfc2315.txt.Google ScholarDigital Library
- David. G. Kleinbaum and Mitchell Klein. 2011. Survival Analysis: A Self-Learning Text (3 ed.). Springer.Google Scholar
- Platon Kotzias, Leyla Bilge, and Juan Caballero. 2016. Measuring PUP prevalence and PUP distribution through Pay-Per-Install services. In Proceedings of the USENIX Security Symposium.Google Scholar
- Platon Kotzias, Srdjan Matic, Richard Rivera, and Juan Caballero. 2015. Certified PUP: Abuse in Authenticode Code Signing. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 465--478. https://doi.org/10.1145/2810103.2813665 Google ScholarDigital Library
- Michael Kranch and Joseph Bonneau. 2015. Upgrading HTTPS in mid-air: An Empirical Study of Strict Transport Security and Key Pinning. In Network and Distributed System Security (NDSS) Symposium . Internet Society. https://doi.org/ 10.14722/ndss.2015.23162Google ScholarCross Ref
- Bum Jun Kwon, Virinchi Srinivas, Amol Deshpande, and Tudor Dumitraş. 2017. Catching Worms, Trojan Horses and PUPs: Unsupervised Detection of Silent Delivery Campaigns. In Proc. NDSS . Google ScholarCross Ref
- B. Laurie, A. Langley, and E. Kasper. 2013. Certificate Transparency. RFC 6962. RFC Editor.Google Scholar
- Eric Lawrence. 2011. Everything you need to know about Authenticode Code Signing. (Mar 2011). https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/everything-you-need-to-know-about-authenticode-code-signing/Google Scholar
- Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, and Christo Wilson. 2015. An End-to-End Measurement of Certificate Revocation in the Web's PKI. ACM Press, 183--196. https://doi.org/10.1145/2815675.2815685Google Scholar
- Microsoft. 2001. Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard. (2001). https://technet.microsoft.com/en-us/library/security/ms01-017. aspxGoogle Scholar
- Microsoft. 2008. Windows Authenticode Portable Executable Signature Format. (Mar 2008). http://download.microsoft.com/download/9/c/5/ 9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docxGoogle Scholar
- Microsoft. 2011. Virus: Win32/Induc.A. (April 2011). https: //www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name= Virus%3AWin32%2FInduc.AGoogle Scholar
- Evangelos E. Papalexakis, Tudor Dumitras, Duen Horng (Polo) Chau, B. Aditya Prakash, and Christos Faloutsos. 2103. Spatio-temporal Mining of Software Adoption & Penetration. In IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). Niagara Falls, CA.Google Scholar
- Dorottya Papp, Balázs Kócsó, Tamás Holczer, Levente Buttyán, and Boldizsár Bencsáth. 2015. ROSCO: Repository Of Signed Code. In Virus Bulletin Conference, Prague, Czech Republic.Google Scholar
- Bryan Parno, Jonathan M. McCune, and Adrian Perrig. 2010. Bootstrapping Trust in Commodity Computers. In IEEE Symposium on Security and Privacy. 414--429. Google ScholarDigital Library
- Kaspersky Lab's Global Research and Analysis Team. 2015. The Duqu 2.0 persistence module. (Jun 2015). https://securelist.com/blog/research/70641/ the-duqu-2-0-persistence-module/Google Scholar
- Marcos Sebastián, Richard Rivera, Platon Kotzias, and Juan Caballero. 2016. Av- class: A tool for massive malware labeling. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 230--253. Google ScholarCross Ref
- Swiat. 2012. Flame malware collision attack explained. (Jun 2012). https://blogs.technet.microsoft.com/srd/2012/06/06/ flame-malware-collision-attack-explained/Google Scholar
- Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, Elie Bursztein, and Damon McCoy. 2016. Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016. 721--739. https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/thomasGoogle Scholar
- VirusTotal. 2017. www.virustotal.com. (2017).Google Scholar
- Dan Wendlandt, David G. Andersen, and Adrian Perrig. 2008. Perspectives: Improving SSH-style Host Authentication with Multi-path Probing. In USENIX 2008 Annual Technical Conference (ATC'08). USENIX Association, Berkeley, CA, USA, 321--334. http://dl.acm.org/citation.cfm?id=1404014.1404041Google Scholar
- Mike Wood. 2010. Want My Autograph? The Use and Abuse of Digital Signatures by Malware. Virus Bulletin Conference September 2010 September (2010), 1--8. http://www.sophos.com/medialibrary/PDFs/technicalpapers/digitalGoogle Scholar
- Liang Xia, Dacheng Zhang, Daniel Gillmor, and Behcet Sarikaya. 2017. CT for Binary Codes. Internet-Draft draft-zhang-trans-ct-binary-codes-04. IETF Secretariat. http://www.ietf.org/internet-drafts/draft-zhang-trans-ct-binary-codes-04. txt http://www.ietf.org/internet-drafts/draft-zhang-trans-ct-binary-codes-04. txt.Google Scholar
- Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage. 2009. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (IMC '09). ACM, New York, NY, USA, 15--27. https://doi.org/10. 1145/1644893.1644896Google ScholarDigital Library
- Liang Zhang, David Choffnes, Dave Levin, Tudor Dumitras, Alan Mislove, Aaron Schulman, and Christo Wilson. 2014. Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, New York, NY, USA, 489--502. https://doi.org/10.1145/2663716.2663758 Google ScholarDigital Library
Index Terms
- Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI
Recommendations
Certified PUP: Abuse in Authenticode Code Signing
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityCode signing is a solution to verify the integrity of software and its publisher's identity, but it can be abused by malware and potentially unwanted programs (PUP) to look benign. This work performs a systematic analysis of Windows Authenticode code ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Comments