Security Experts:

Connect with us

Hi, what are you looking for?



Content Distribution Networks Fuel Rising Threat of Digitally Signed Malware

According to a recent report from McAfee, the number of digitally signed malware samples tripled in 2013, driven largely by the abuse of automated Content Distribution Networks (CDNs) that wrap malicious binaries within digitally signed, otherwise legitimate installers.

According to a recent report from McAfee, the number of digitally signed malware samples tripled in 2013, driven largely by the abuse of automated Content Distribution Networks (CDNs) that wrap malicious binaries within digitally signed, otherwise legitimate installers.

Code signing is the method of validating the identity of a developer who produced the code in an effort to ensure the code has not been tampered with or modified after a digital certificate has been issued.

In its McAfee Labs Threats Report: Fourth Quarter 2013, McAfee said this accelerating trend could pose a significant threat to the long-established certificate authority (CA) model for authenticating “safe” software.

Code Signing Malware

By the end of 2013, McAfee said the number of malicious signed binaries in its database tripled to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee identified more than 2.3 million new malicious signed applications, a 52 percent jump from the previous quarter.

“Cybercriminals have an all-out assault on digital certificates,” Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi, told SecurityWeek.

McAfee Labs has cautioned that the rising number of maliciously signed files could create confusion among users and administrators, and even call into question the continued viability of the CA model for code signing.

“Although the expansion of the CA and CDN industries has dramatically lowered the cost of developing and issuing software for developers, the standards for qualifying the identity of the publisher have also decreased dramatically,” said Vincent Weafer, senior vice president for McAfee Labs. “We will need to learn to place more trust in the reputation of the vendor that signed the file, and less trust in the simple presence of a certificate.”

“McAfee’s Q4 Threat Report is just one indicator in a long list that shows cybercriminals are attacking the trust established by digital certificates and cryptographic keys,” Bocek said.

Digitally signed malware can often circumvent existing security protection organizations have in place and enable attackers to obtain “trusted status” undetected for as long as they desire. According to a recent Ponemon Institute report, enterprises lack the visibility, policies, and security in to protect these trust-based technologies.

ResourceIs Your Enterprise Managing Certificates? Three Reasons It Should Be.

“There’s little to no visibility in to what keys and certificates are trusted throughout enterprises and no ability to take action, either to enforce policy or respond to attacks,” Bocek said. “The escalation in these types of attacks underscore the problem of unsecured certificates loud and clear. With over 17,000 keys and certificates in typical Global 2000 organizations, there’s a huge attack surface.”

Bocek believes the rise in these attacks should not be a surprise, however.

“From SSL, to code signing, to SSH for administrators and servers, to iOS and Android architectures, we’ve built security systems of the future on keys and certificates,” he said. “They are foundational to our modern world, yet trusting these technologies blindly puts us all in grave peril. Cybercriminals know unprotected keys and certificates are a weak spot in our defenses and will continue to attack there.”

Analysis of “The Mask” APT operation, a sophisticated cyber-espionage campaign uncovered by Kaspersky Lab earlier this year, revealed that hundreds of organizations had SSH keys and SSL keys and certificates stolen. 

“The attacks on keys and certificates are unlike other common attacks seen today. With a compromised or stolen key you can impersonate, surveil, and monitor your targets as well as decrypting traffic or impersonating trusted website, code, or administrators,” Bocek explained. “Discovering a compromised key and certificate doesn’t kick an attacker out nor solve the problem; until a key and certificate is revoked and replaced the threat doesn’t go away.”

Mandiant also noted in its APT1 Report that nation-state hackers based in China used self-signed digital certificates to implant malware into hundreds of U.S. companies over a period of several years. 

Certificate-based malware attacks come in many shapes and sizes, according to Jeff Hudson, CEO of Venafi.

One of the most notable attacks comes in the form of a compromised certificate authority, such as what happened to the Dutch CA DigiNotar in 2011,” Hudson wrote in an Oct. 2013 SecurityWeek column. 

“That compromise allowed hackers to issue malicious certificates that appeared to be signed and legitimized by DigiNotar,” Hudson continued. “A number of additional public CA compromises followed. The net result was that hackers used falsified certificates to execute a man-in-the-middle attacks, fooling people into believing that a false website was in fact real. Not only were user credentials siphoned off but also diverted users to malicious sites. This is still a common practice used today, malicious actors even go as far as to use SSL to disguise their activities over the network.”

Additionally, it was discovered that SSH keys provided Edward Snowden with undetected access that allowed him to steal a significant number of classified documents from the NSA.

“Cybercriminals know unprotected keys are certificates is a weak spot in our defenses and will continue to attack there,” Bocek said.

“Although the total number of signed malware samples includes stolen, purchased, or abused certificates, the vast majority of growth is due to dubious CDNs,” McAfee said in its threat report. “These are websites and companies that allow developers to upload their programs, or a URL that links to an external application, and wrap it in a signed installer.”

Related ResourceBroken Trust: Exposing the Malicious Use of Digital Certificates and Cryptographic Key

Related Resource: Forrester Attacks On Trust Report

Related Insight: Is Your Enterprise Managing Certificates? Three Reasons It Should Be.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.