Since 2014, Suckfly, a hacker group apparently based in Chengdu, China, has used at least 9 signing certs to make their malware indistinguishable from official updates from the vendor.
Suckfly's known signing certs all came from companies in South Korea, apparently penetrated through phishing scames. Symantec discovered the extent of Suckfly's use of signing certs after finding a single piece of known malware ("a brute-force server message-block scanner") that sent them looking for other examples.
Signing certificates are used by software to authenticate updates from vendors. The Apple v FBI case is, at root, about signing certificates: the FBI wants Apple to produce a bogus code-update that will let it bypass the Iphone's limits on PIN-guessing, and then sign it with Apple's signing certificate.
Whether or not Apple wins this case, it has prompted many in the security community to contemplate ways to backstop signing certificates to catch this kind of attack. Chief among these is "binary transparency" — a system of servers hosting the signatures of updates received by programs in the wild. This might not prevent a computer from being infected by a bogus update, but it would reveal the update's existence very quickly.
The existence of Suckfly's trove of stolen signing certs tells us that such a thing is needed, and will likely come, to fight malware. However, such a step would severely impair the usefuless of law enforcement orders to produce custom interception software.
It's a very neat example of the problems of backdoors: from a device's perspective, there's no way to distinguish between penetration threats from criminals or cops. We talk a lot about how you can't make a backdoor that only good guys can go through — but here's an example of how making a device secure against criminals also makes it secure against the FBI.
"Signing malware with code-signing certificates is becoming more common, as seen in this investigation and the other attacks we have discussed," Symantec researcher Jon DiMaggio wrote in Tuesday's blog post. "Attackers are taking the time and effort to steal certificates because it is becoming necessary to gain a foothold on a targeted computer. Attempts to sign malware with code-signing certificates have become more common as the Internet and security systems have moved towards a more trust and reputation oriented model. This means that untrusted software may not be allowed to run unless it is signed."
Digitally signed certificates allow Suckfly exploits to work seamlessly without calling attention to themselves. One of the group's booby-trapped webpages, for example, was able to exploit a 2014 vulnerability in a Microsoft Windows component known as Object Linking and Embedding when it was viewed with Internet Explorer. The file the exploit delivered was a self-extracting executable that ultimately installed malware Symantec dubs Nidiran.
"Our investigation shines a light on an often unknown and seedier secret life of code-signing certificates, which is completely unknown to their owners," DiMaggio concluded. "The implications of this study shows that certificate owners need to keep a careful eye on them to prevent them from falling into the wrong hands. It is important to give certificates the protection they need so they can't be used maliciously."
To bypass code-signing checks, malware gang steals lots of certificates
[Dan Goodin/Ars Technica]
(Image: An illustration of the man-in-the-middle attack
, Miraceti, CC-BY-SA)