Code signing is a solution to verify the integrity of software and its publisher’s identity, but it can be abused by malware and potentially unwanted programs (PUP) to look benign. This work performs a systematic analysis of Windows Authenticode code signing abuse, evaluating the effectiveness of existing defenses by certification authorities. We identify a problematic scenario in Authenticode where timestamped signed malware successfully validates even after the revocation of their code signing certificate. We propose hard revocations as a solution. We build an infrastructure that automatically analyzes potentially malicious executables, selects those signed, clusters them into operations, determines if they are PUP or malware, and produces a certificate blacklist. We use our infrastructure to evaluate 356 K samples from 2006-2015. Our analysis shows that most signed samples are PUP (88%-95%) and that malware is not commonly signed (5%–12%). We observe PUP rapidly increasing over time in our corpus. We measure the effectiveness of CA defenses such as identity checks and revocation, finding that 99.8% of signed PUP and 37% of signed malware use CA-issued certificates and only 17% of malware certificates and 15% of PUP certificates have been revoked. We observe most revocations lack an accurate revocation reason. We analyze the code signing infrastructure of the 10 largest PUP operations exposing that they heavily use file and certificate polymorphism and that 7 of them have multiple certificates revoked. Our infrastructure also generates a certificate blacklist 9x larger than current ones.
Certified PUPP: abuse in authenticode code signing / P. Kotzias, S. Matic, R. Rivera, J. Caballero - In: Conference on Computer and Communications SecurityNew York : ACM, 2015. - ISBN 9781450338325. - pp. 465-478
Certified PUPP: abuse in authenticode code signing
S. Matic;
2015
Abstract
Code signing is a solution to verify the integrity of software and its publisher’s identity, but it can be abused by malware and potentially unwanted programs (PUP) to look benign. This work performs a systematic analysis of Windows Authenticode code signing abuse, evaluating the effectiveness of existing defenses by certification authorities. We identify a problematic scenario in Authenticode where timestamped signed malware successfully validates even after the revocation of their code signing certificate. We propose hard revocations as a solution. We build an infrastructure that automatically analyzes potentially malicious executables, selects those signed, clusters them into operations, determines if they are PUP or malware, and produces a certificate blacklist. We use our infrastructure to evaluate 356 K samples from 2006-2015. Our analysis shows that most signed samples are PUP (88%-95%) and that malware is not commonly signed (5%–12%). We observe PUP rapidly increasing over time in our corpus. We measure the effectiveness of CA defenses such as identity checks and revocation, finding that 99.8% of signed PUP and 37% of signed malware use CA-issued certificates and only 17% of malware certificates and 15% of PUP certificates have been revoked. We observe most revocations lack an accurate revocation reason. We analyze the code signing infrastructure of the 10 largest PUP operations exposing that they heavily use file and certificate polymorphism and that 7 of them have multiple certificates revoked. Our infrastructure also generates a certificate blacklist 9x larger than current ones.
| File | Dimensione | Formato | |
|---|---|---|---|
|
p465-kotzias.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
818.6 kB
Formato
Adobe PDF
|
818.6 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
