Saturday, June 8, 2013

Malware Trends and Signed Malware

I took the time this week to catch up on some reading after the Techo Security/Forensics Conference in Myrtle Beach.  Among some of the reading to catch up on was the McAfee Threats Report: First Quarter 2013.  Here are some thoughts:

A couple of notes
New rootkit samples detected remain flat, but down substantially overall since last year.  I don't know what, if anything, this says about security posture.  However, once we break into the numbers a little more, we can see that new samples of TDSS are down substantially while new samples of ZeroAccess  are up.  I think in this case that TDSS was a victim of its own success.  You can only own so much of the open Internet before the community figures you out.  I think the growth in ZeroAccess is largely replacing the void left by TDSS.

On another front, new Fake AV samples are still running strong.  This one never ceases to amaze me.  I mean, who the heck falls for this stuff?  Apparently enough people must to make it at least appear profitable to scammers.  McAfee noted nearly a million new Fake AV samples this quarter alone.

Signed Malware
Signed malware is on the rise, according to McAfee.  However, the growth rate was slower than the last quarter of 2012.  McAfee reported almost 800,000 new signed malware samples in the first quarter of 2013.  Signed malware presents an interesting problem for an attacker.  The digital signature is a specific forensic artifact that aids in attribution.  No more looking for .pdb filenames embedded in your malware.  Once researchers identify one piece of malware signed with a specific certificate, they can instantly determine if any suspect piece of software was signed by the attacker.  The logic follows that if one piece of software signed with a given certificate is malicious, others signed with the same certificate will be too.  This is WAY better than a Yara signature.

On the other hand, some people trust signed software more, especially if it is signed with a 'trusted' certificate.  But what does trusted really mean anyway?  How much scrutiny is required to get a code signing certificate?  None, really.  It's more about jumping through the financial hurdles than about proving you are a legitimate company.  In any case, software with a valid digital signature, trusted or not, may escape extra scrutiny during a post-mortem forensic investigation.  Users may also miss some pop-up warnings when installing (probably inadvertently) properly signed malware, making it more desirable for malware authors.

So, it's a mixed bag.  A year ago, I wouldn't have predicted a mass migration to signed malware for the reasons I mentioned above.  But I would have been wrong.  It turns out that malware authors have a huge financial motive to get this right, and they are moving to signed malware.  This is an endorsement for the technique's perceived efficacy, if nothing else.

If you need a tool to examine digital signature, you can use disitool on Linux.  If you enjoy working on the Windows platform, signtool is a Microsoft provided tool for verifying digital signatures.

Parting Thoughts
Stay tuned for tips on dealing with digitally signed malware and other thoughts on malware in general.


  1. Where can I find a further instruction of how to use tools for examining digital signatures?

    1. If you want to extract a signature or otherwise manipulate it, try Didier Steven's tool. This is cross platform and open source, which is always nice.

      A good Windows tool from MS built-in that allows you to verify digital signatures is signtool.

  2. This comment has been removed by the author.

  3. Been using Kaspersky security for a couple of years now, I'd recommend this product to everyone.


Note: Only a member of this blog may post a comment.