According to Kaspersky Lab the number of untrusted certificates used to sign malicious software doubled in the last year. By the end of 2014 the company’s antivirus database included more than 6,000 of these certificates. Considering the growing amount of threats related to signing malicious files our experts advise system administrators and users not to trust digital signatures without question and not to allow signed files to launch purely on the strength of the signature.
"Virus writers steal and imitate valid signatures to reassure the users and anti-virus solutions that the file is safe. Kaspersky Lab has seen this technique used by advanced persistent threat actors for several years,” said Andrey Ladikov, Head of Strategic Research at Kaspersky Lab.
The notorious Stuxnet worm used certificates stolen from Realtek and JMicron. The Winnti gang stole certificates from compromised gaming companies and re-used them in new attacks. Moreover, there are examples of the same certificatesbeing used in attacks launched by other groups of Chinese hackers, suggesting the existence of an underground market. The Darkhotel gang usually signed its backdoors with digital certificates and apparently had access to the secret keys needed to create fake certificates.
To reduce the risk of launching new malware that virus scanners do not recognize and that your computer believes is backed up by a valid digital certificate, it is essential to maintain increased control over signs files with appropriate antivirus protection and comply with security policies:
1. Impose a ban on launching programs that are digitally signed by an unknown software vendor: most stolen certificates originate from small developers.
2. When encountering certificates from unknown certification centers, do not install them in the storage.
3. Do not grant permission to launch programs signed by trusted certificates purely based on the name of the certificate.Check other attributes such as the serial number and the certificate fingerprint (hash sum).
4. Install the Microsoft MS13-098 update - it eliminates the error that can include additional data in the signed file without violating the file signature.
5. Use an antivirus solution that has its own database of trusted and untrusted certificates.
To learn more, please read the blog post available at Securelist.com.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report "Worldwide Endpoint Security 2014–2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.
"Virus writers steal and imitate valid signatures to reassure the users and anti-virus solutions that the file is safe. Kaspersky Lab has seen this technique used by advanced persistent threat actors for several years,” said Andrey Ladikov, Head of Strategic Research at Kaspersky Lab.
The notorious Stuxnet worm used certificates stolen from Realtek and JMicron. The Winnti gang stole certificates from compromised gaming companies and re-used them in new attacks. Moreover, there are examples of the same certificatesbeing used in attacks launched by other groups of Chinese hackers, suggesting the existence of an underground market. The Darkhotel gang usually signed its backdoors with digital certificates and apparently had access to the secret keys needed to create fake certificates.
To reduce the risk of launching new malware that virus scanners do not recognize and that your computer believes is backed up by a valid digital certificate, it is essential to maintain increased control over signs files with appropriate antivirus protection and comply with security policies:
1. Impose a ban on launching programs that are digitally signed by an unknown software vendor: most stolen certificates originate from small developers.
2. When encountering certificates from unknown certification centers, do not install them in the storage.
3. Do not grant permission to launch programs signed by trusted certificates purely based on the name of the certificate.Check other attributes such as the serial number and the certificate fingerprint (hash sum).
4. Install the Microsoft MS13-098 update - it eliminates the error that can include additional data in the signed file without violating the file signature.
5. Use an antivirus solution that has its own database of trusted and untrusted certificates.
To learn more, please read the blog post available at Securelist.com.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report "Worldwide Endpoint Security 2014–2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.
Aucun commentaire:
Enregistrer un commentaire