Digitally Signed Malware Sees Triple-Digit Growth

McAfee’s malware database revealed that certificates, which are issued by Certificate Authorities like Thawte, Comodo and Verisign,

David Marcus, director of advanced research and threat intelligence at McAfee told attendees of McAfee Focus 2013 in Las Vegas that signed malware is on a triple-digit growth trajectory, jumping 136% and 393% respectively in 2011 and 2012. Last year, it accounted for 6.6% of all malware in 2012, up from only 1.3% of all new malware in 2010. And in the first three quarters of this year, signed malware is up 20% on the total 2012 number according to McAfee.

Signed mobile malware is particularly in hockey-stick mode. McAfee figured show that from 2010 to 2011, signed Android malware shot up by a staggering 1,412%.

The numbers dovetail with the dramatic 600% increase in attacks on keys and certificates that Symantec identified during the first five months of 2013. That firm found 800 different malware packages designed to steal keys and certificates over the course of just one month earlier this year.

Symantec explained how attackers hijack legitimate certificates. “If a computer is infected by back door Trojan, the attacker may gain full access to the compromised computer and will be able to control it. The attacker will therefore be able to steal any information found on the computer,” it said in a blog from earlier in the year. “An attacker can also steal both the private key and the digital certificate if he or she is interested in them.”

Issues with certificates have gotten attention before Last year, a survey by Venafi and Osterman Research found that a majority of enterprises have an inaccurate or incomplete inventory of their secure socket layer (SSL) certificate populations, exposing them to security and compliance risks.

Worse, the majority of organizations actually manually manage digital certificates with spread sheets and reminder notes. This overall lack of management and control offers up the perfect attack vector for cybercriminals and cyber-espionage.

Until certificate reputation begins to be included in security software as a way to identify malware, organizations need to be vigilant and perhaps even set up an internal CA to sign their own code, McAfee recommended.

What’s Hot on Infosecurity Magazine?