Something should improve

Certainly all Comodo employees work hard to get better and as for the following topic, there should urgently be something to improve. :P0l

Chronicle’s security researchers have analyzed submissions May 7, 2018, and May 7, 2019 discovering that out of a total of 3,815 signed malware samples, 1,775 were signed using a digital certificate issued by Comodo RSA Code Signing CA.”

Chronicle reveals CAs that issued most certificates to sign malware on VTSecurity Affairs

Certificate side of business was acquired by a third-party and renamed to Sectigo, some time ago. Now they are the ones handling the issuing of certificates, not Comodo anymore.

Hi mmalheiros,

you are absolutely right, and I knew that too, but unfortunately I did not take that into account when naming the topic. The name has been changed. :a0

But it was not completely wrong, because all these certificates were issued by Comodo and not by Sectigo. So rather, my appeal would have had to go to Sectigo and not to Comodo. At the time, I didn’t know if Comodo had also handed over responsibility for self-issued certificates to Sectigo.

Meanwhile, Sectico has made a new statement in this regard. >>> Sectigo says that most of certificates reported by Chronicle analysis were already revokedSecurity Affairs

Quote: [i]“Unfortunately, recent press reports suggest the incorrect conclusion that Chronicle reported nearly 2000 such certificates for Comodo / Sectigo. Since this story ran, we have investigated all of the certificates attributed to Comodo / Sectigo. More than 90% of these were expired, previously revoked, or duplicate reports.” reads the post published by Sectigo.

The CA confirmed that is still investigating 25 certificates that labeled with “in process” status.

“These reported certificates did not match our records of Code Signing certificates from Comodo / Sectigo during our investigation. We are continuing to investigate these certificates.” reads the CA.[/i]

Kind Regards!
pio

I think it will take some time for “Comodo RSA Code Signing CA” and other Root authorities with Comodo’s name in them, to have their names changed to Sectigo. So we should still see some bad things “signed by Comodo” in the future.

Personally I don’t blame Comodo or Sectigo for that, because Criminals often buy and resell those certificates for Hackers. Even Microsoft certs did get stolen in the past:

Hi mmalheiros,

To blame someone for anything was also never my intention! But in order to improve things, certain points just need to be addressed. So, when I say something in this regard, I always hope that it may improve workflows or control mechanisms, as to prevent or at least limit similar things in the future. Due to the way in which protection solutions are currently set up or work, signed Malware presents a risk that should NEVER be underestimated. As can also be seen from the link you posted, the example of “Stuxnet” clearly shows the significant damage signed Malware can cause. Although the full context of the “CCleaner-Incident” was different or still unclear, the existence of a valid certificate was also very useful for carrying out the mission.

That some certificates are stolen or unlawfully acquired is out of the question. :P0l

Regarding this topic, I had already posted the following here over 1 year ago. You can also read through this, if you are interested. :-TU :wink:

https://forums.comodo.com/general-security-questions-and-comments/interesting-article-about-codesigning-certificates-t121612.0.html#new

https://forums.comodo.com/general-security-questions-and-comments/another-interesting-article-about-codesigning-certificates-t121721.0.html

Further information on the topic: http://signedmalware.org/

Best Regards!
pio

I agree with you 100%, CAs should do something to avoid signed Malware, and I found the links you provided very helpful because they confirmed what I was suspecting: Criminals are indeed selling Comodo/Sectigo certificates to sign Malware. Now I have good arguments to use against people who claim they will never use Comodo products “Because they sign Malware”, thank you.

Yeah like I am going to stop using free CIS just because some Troll stole a certificate from Comodo/Sectigo to sell it on the black market. ;D ;D ;D