Large Percentage of Malware Downloads Are Signed with Valid Certificates
The misuse of code signing certificates is so widespread that a larger percentage of malware downloaded to computers is digitally signed than that of benign software programs.
Antivirus company Trend Micro studied 3 million software downloads on hundreds of thousands of computers and found that a large portion of the first-stage malware components downloaded from the web is digitally signed.
Digital signatures make programs appear more trustworthy and have a direct impact on the warnings that operating systems and browsers display when executable files are executed.
Trend Micro found that 86 percent of malware droppers—the lightweight malicious programs that install additional malware components—were digitally signed. So were 60 percent of Trojan programs, 44 percent of ransomware applications and 43 percent of adware.
When it came to malicious programs that were exclusively downloaded through browsers, the ratios of digitally signed files were even higher: 95 percent of droppers, 92 percent of adware, 81 percent of trojans and 69 percent of ransomware installers.
At the same time, only around 1 in 3 benign programs observed during the study that were downloaded on computers were digitally signed. And this wasn’t a matter of scale, because the total number of non-malicious downloads that were scanned was about the same as those for malware droppers.
“There is an entire market supporting the operations of malware operators that have gained access to valid certificates that are then used in signing malicious software,” the Trend Micro researchers said in a blog post. “In our analysis, we observed a large number of malicious software that have been signed by trusted authorities—bypassing any client-side validation mechanisms built in recent OSs and browsers.”
Furthermore, cybercriminals seem to focus their signing activity on the first-stage malware components—those used to gain access to systems in the first place. The second-stage components, which are typically more sophisticated and are used to take full control of infected computers, are not as frequently signed.
This makes sense from a business perspective because code signing certificates are expensive and hard to obtain, more so than the certificates used to secure websites. So, attackers either steal them from legitimate developers or set up fake businesses and use those identities to buy them from certificate authorities (CAs).
“A general problem that we observed is that CAs—to different extents—fail in properly validating the certificate requests they receive,” the Trend Micro researchers said. “We don’t know if this is, somehow, voluntary and where the line of responsibility terminates.”
“Code signing is a very efficient technique in defending against malware, but as revealed in our research, it is not foolproof and can be abused,” the researchers concluded. “Users and businesses should carefully evaluate any software installed on their system, on top of standard precautions like updating the operating systems and implementing cybersecurity solutions.”
Study: One-Fifth of Every Company’s Folders Are Open to All Employees
The majority of companies are careless with their data, enabling attackers who gain access to their networks to easily gain access to sensitive information, a new study shows.
Security firm Varonis analyzed the findings of data risk assessments it performed for customers from more than 50 countries spanning more than 30 industries, including financial services, IT, education, retail, utilities and governments. And the conclusions are not great for corporate data security.
Varonis found that, on average, 21 percent of shared folders inside any company are accessible to every employee and that 30 percent of companies have more than 1,000 such folders. The study looked at more than 5.5 petabytes of corporate data contained in 6.2 billion files across 459.2 million folders.
“While organizations focus on keeping attackers out, all too often the data itself remains widely accessible and unmonitored,” the company warned in its report. “That’s like putting all your defenses and resources into building the strongest, highest castle walls, but leaving your crown jewels draped on the coat rack beside the front door.”
But it’s not only the openly accessible files that are a problem. Many companies also do a poor job of revoking access to old accounts that are no longer used. Varonis found that on average over a third of user accounts with access to a company’s shared folders were stale.
“Ghost user accounts can lie dormant, going unnoticed day to day, yet still provide access to systems and data,” Varonis said in the report. “Stale, but still enabled, user accounts are a great way for hackers to test the waters. Stale user accounts that are no longer active create noise that can make security more difficult for organizations.”
Another big problem that was identified was that around half of data shared on internal networks was itself stale, meaning it was no longer needed for active day-to-day operations. This data included sensitive information that is subject to various regulations such as SOX, HIPAA, PCI, and GDPR and poses a security and liability risk if kept around beyond a reasonable retention period.