14 November 2017

The Rise Of Super-Stealthy, Digitally Signed Malware — Thanks To The Dark Web

“It’s digital code-signing certificates,” he wrote.

“A recent study conducted by the Cyber Security Research Institute (CSRI) this week revealed that digital code-signing certificates are available for anyone to purchase on the Dark Web for $1,200,” Mr. Khandelwal wrote. “As many of you know,” he adds, “digital certificates issued by a Trusted Certificate Authority (CA) are used to cryptographically sign computer applications and software; and, are trusted by your computer [device] for execution of those programs without any warning messages. However,” he notes, “malware author[s] and hackers are always in search of advanced techniques to bypass security solutions have been abusing trusted digital certificates [especially] during recent years.”

“Hackers [and others] use compromised coding certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer devices,” Mr. Khandelwal wrote.

“The infamous Stuxnet worm that targeted Iranian nuclear facilities in 2003, also used legitimate digital certificates. Also the recent CCleaner-tainted downloads infection was made possible due to digitally-signed software update,” Mr. Khandelwal noted.

Stealthy, Digitally-Signed Malware Is Increasingly Prevalent

Not surprisingly, “digitally signed malware has become increasingly prevalent and [much] more common than previously thought,” especially in the past 18 months or so, as cyber thieves and others learn, and adapt their techniques, and methods of breaching networks and devices. Mr. Khandelwal writes that “a trio of researchers — Doowan Kim, Bum Jun Kwon, and Tudor Dumitras from the University of Maryland, College Park — said they found 325 signed malware samples of which 189 (58.2 percent) carried valid digital signatures while 136 carry malformed digital signatures.”

“Such malformed signatures are useful for an adversary: we find simply copying an Authenticode signature a legitimate sample to an unsigned malware sample may help the malware bypass AV detection,” the researchers said. “Those 189 malware samples signed correctly were generated 111 compromised unique certificates issued by recognized CAs and used to sign legitimate software,” Mr. Khandelwal wrote.

Revoking Stolen Certificates Doesn’t Stop The Malware Immediately

“Even when a signature is not valid, the researchers found that at least 34 anti-virus products failed to check the certificate’s validity, [and] eventually allowing malicious code to run on the targeted machine [device/network],” Mr. Khandelwal wrote. “The researchers also conducted an experiment to determine if malformed signatures can affect the anti-virus detections. To demonstrate this, they downloaded 5 random, unsigned, ransomware samples that almost all anti-virus programs detect as malicious. The trio then took two expired certificates that previously had been used to sign both legitimate software and in-the-wild-malware, and used them to sign each of the five ransomware samples.”

Top Anti-Virus [Products/Software] Fail To Detect Malware Signed With Stolen Certificates

Again, not surprisingly, after conducting testing and analysis, researchers found that “many [popular] anti-virus products — failed to detect the malware as malicious.”

None of these discoveries should come as a surprise to anyone who reads this blog. The only ‘safe’ device that is connected to ‘the network,’ is one that has never been used. And, the above cyber threats are really pretty unsophisticated and sun-of-the-mill these days. As we look to 2018, the big, known cyber threat that is likely to emerge, is artificially empowered/enhanced malware — and,. its “going to be terrifying,” Rob Price wrote on the October 8, 2016 website edition of Business Insider.

David Plamer, Director of Technology at the cyber security firm, DarkTrace, had several warnings he spoke to Mr. Price about a year ago — with respect to artificial intelligence and the cyber threat. Mr. Price, in the interest of full disclosure, reminded his readers at the time, that “Mr. Palmer is in the [cyber] security business; and, it is his job to hype up the threats out there (present & future} and convince customers that DarkTrace is the only one [company] that can save them.” While that description is somewhat over-the-top as they say, his point is well taken. Having issued that caveat…………..,.

Mr. Palmer foresees artificially empowered malware in the not too distant future [my guess is 2018] that will hold industrial equipment to ransom; digitally masquerade as someone you know and trust; and, compromise networks and devices clandestinely — and leave little, if any digital ‘fingerprints,’ or bread-crumbs. Or, if any digital fingerprints are left behind, they are likely to be very clever false flags, designed to make it appear to be someone else. With respect to digitally masquerading as someone you know and trust, Mr. Palmer suggests that artifically empowered malware “will be able to look through your [email] correspondence, learn how you communicate, and them mimic,” or masquerade as you to someone else you regularly email — in order to eventually breach their ultimate target. 

Others warn of A.I. empowered malware that is adaptive, can hide when it suspects it might be under surveillance, lay dormant and become active based on target activity, and interact — without human intervention — with other A.I. empowered malware, to increase or enhance the chances of a successful breach. It is scary enough to make one consider an off-the-grid existence. Either that, or we have to hope the white hat cyber hackers can stay at least one, digital step ahead. But, as I like to say/write, it is the second digital mouse…..that always gets the cheese.

No comments: