Author Topic: Digitally signed malware common than previously believed?  (Read 451 times)

Offline HaryHr

  • Comodo Loves me
  • ****
  • Posts: 139
Digitally signed malware common than previously believed?
« on: November 04, 2017, 03:51:06 PM »
Don't know if someone already posted but interesting article on Ars Technica from ACM Conference, research paper about Digitally signed malware. Second list also has list of compromised code signing certificates from that research paper.

https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/

http://signedmalware.org/

Offline sAyer

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 940
  • If opportunity doesn't knock, build a door.
Re: Digitally signed malware common than previously believed?
« Reply #1 on: November 04, 2017, 11:37:42 PM »
This is disconcerting but not a threat to Default Deny from what I have seen. From the AV aspect maybe yes, but not from the core security of CIS. The chance of one of these signatures being on the Trusted Vendors list is very improbable. I have a definite sample and one I believe to be fraudulent. Both have validity with Windows and signature lookup via dllhost, but when I try to add the same files to the Trusted Vendors list in CIS via a read from a signed executable it will not recognize them as valid signatures.

Default Deny is still solid. If you get infected with CIS (depending on configuration) it's because YOU trusted something.

Thanks for posting HaryHr. Been following this for awhile, but I had no idea it was so widespread. No AV vendor should disregard or trust a file based on a signature. Gives a new meaning to Trojan Horse.

« Last Edit: November 04, 2017, 11:40:12 PM by sAyer »
"You affect the world by what you browse." - Tim Berners-Lee

"When you change the rules on what controls you - you will change the rules on what you can control.” ― Revolver

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek