Certified Malware:
Measuring Breaches of Trust in the Windows Code-Signing PKI.

Doowon Kim, Bum Jun Kwon, and Tudor Dumitraș.

Paper


Abstract

Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures. It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape. In particular, the methods, effectiveness window, and security implications of code-signing PKI abuse are not well understood. We propose a threat model that highlights three types of weaknesses in the code-signing PKI. We overcome challenges specific to code-signing measurements by introducing techniques for prioritizing the collection of code-signing certificates that are likely abusive. We also introduce an algorithm for distinguishing among different types of threats. These techniques allow us to study threats that breach the trust encoded in the Windows code-signing PKI. The threats include stealing the private keys associated with benign certificates and using them to sign malware or by impersonating legitimate companies that do not develop software and, hence, do not own code-signing certificates. Finally, we discuss the actionable implications of our findings and propose concrete steps for improving the security of the code-signing ecosystem.

Media

Data sets



Compromised code signing certificates
Serial Number Publisher Issuer Country Sample
149C12083C145E28155510CFC19DB0FE 3rd Eye Solutions Ltd Thawte Code Signing CA UK link
53BB753B79A99E61A6E822AC52460C70 ??????? Thawte Code Signing CA - G2 Korea link
11690F05604445FAE0DE539EEEEEC584 Tera information Technology co.Ltd Thawte Code Signing CA - G2 Korea link
1A0FD2A4EF4C2A36AB9C5E8F792A35E2 ???????????? Thawte Code Signing CA - G2 China link
244A552C72B65C01E472D28722707D5A Esaya.com Inc. VeriSign Class 3 Code Signing 2004 CA USA link
00ACDB7F6460A6B323B6D2EAD85BC30CA6 Reg Revenue COMODO Code Signing CA 2 USA link
75A38507BF403B152125B8F5CE1B97AD isonet ag VeriSign Class 3 Code Signing 2010 CA Switzerland link
00864196F01971DBEC7002B48642A7013A WLE DESENVOLVIMENTO DE SOFTWARE E ASSESSORIA LTDA EPP COMODO Code Signing CA 2 Brazil link
4FF87215841B1C38064623170B0840CB Guiyang Netho Technology service Co. VeriSign Class 3 Code Signing 2010 CA China link
7940DA4AA593871CA535167A93649CAC Shenzhen Paojiaosizhi Information Technology Co. VeriSign Class 3 Code Signing 2010 CA China link
48239D8CA323C059F58011E905BFD898 iS3 Thawte Code Signing CA USA link
2D1BA639200257F67D3BF35D52C53381 TAB Software Corp. The Code Project Code Signing CA USA link
039E5D0E3297F574DB99E1D9503853D9 Cigam Software Corporativo LTDA COMODO Code Signing CA 2 Brazil link
31319ECFE88565C288BB66FDF72D8B13 ???????????? Thawte Code Signing CA - G2 China link
054AF2E9BB99B84555F819BF54AA93D1 TT4YOU Thawte Code Signing CA Korea link
45A70579218BD3F8A7437F2787195444 Korea Virtual Payment Co. Thawte Code Signing CA Korea link
2D45FBB87E41F57DDC127F237BB9D1C9 NIA eBiz Networks Certificate Services Korea link
454EDA8DA1A58D32CB1C7116152A1CA8 Respondus Thawte Code Signing CA USA link
3FBAA110B35D9865833D2D3F386B8F44 SHANGHAI ZHONGYUAN NETWORKS LIMITED VeriSign Class 3 Code Signing 2009-2 CA China link
57D6DFF1EF96F01B9430666B2733CC87 Smart Plugin Ltda COMODO Code Signing CA Brazil link
20D82BAC683325FBE0B262B28E439C49 ???????????? Thawte Code Signing CA - G2 China link
5F8203C430FC7DB4E61F6684F6829FFC Haivision Network Video VeriSign Class 3 Code Signing 2010 CA Canada link
075EC389C3CC10317A05F97090D399CE Ahranta VeriSign Class 3 Code Signing 2010 CA Korea link
58A10FCF6809AE7736C7DB59E480165B OM NETWORKS Co. Thawte Code Signing CA - G2 Korea link
26B02C030DDAFA18889A148538E8E047 Skyline Software Systems VeriSign Class 3 Code Signing 2001 CA USA link
52C8C05A293AD3AC3FD59863CDCF297C pointmani Thawte Code Signing CA Korea link
03866DEB183ABFBF4FF458D4DE7BD73A ?????????? Thawte Code Signing CA - G2 China link
7237ACBBEF66317B1DB46C898E1F3ABE ?????????? Thawte Code Signing CA - G2 China link
00F385E765ACFB95605C9B35CA4C32F80E CWI SOFTWARE LTDA COMODO Code Signing CA 2 Brazil link
403AE9D1B8A7F8DB0B862E6A3FCAEB1A Kunshan Youxun Network Tech Co. WoSign Code Signing Authority China link
0685EA3954CCD165B77A569B6A5BF3CC CDNetworks Co. Thawte Code Signing CA Korea link
1121E91DECC1A1D4F1F9EFD938A9AE91EB19 ???????????? GlobalSign CodeSigning CA - G2 China link
77A64759F12766E363D779998C71BDC9 Beijing Gigabit Times Technology Co. VeriSign Class 3 Code Signing 2004 CA China link
0637EE22B4697200C72E2B2A58DBAE34 Buster Ind Com Imp e Exp de Acessorios P Autos Ltda Thawte Code Signing CA - G2 Brazil link
18810ADB45D16801B19C81FC8E6DE697 HS SOLUTION Thawte Code Signing CA - G2 Korea link
52C8B6E31D21BD983BEFF68B33AFDE72 Arcdo Co. Thawte Code Signing CA - G2 Korea link
3B55E2BAC4A06B974AB8329B2EC10A80 Myfolder net Thawte Code Signing CA Korea link
19333F202BACF7FE7CD948C089A68E78 Biz Secure Labs Pvt. Ltd. The Code Project Code Signing CA India link
0100000000012B76A4FF23 Cybercreat GlobalSign ObjectSign CA France link
235AF38052CBFD05583368447A85A09C DIAGRAM SOFTWARE VeriSign Class 3 Code Signing 2009-2 CA Spain link
69D1AD9B16F2F21B6664AB8B271FD536 Shenzhen QVOD Technology Co. VeriSign Class 3 Code Signing 2009-2 CA China link
113C0EF6587F67C35FB14D331C8E8BA5 DigitalDM Pty Ltd VeriSign Class 3 Code Signing 2004 CA Australia link
2B727496B6EE159A73C44212C92FB607 INBEE.COM Thawte Code Signing CA Korea link
2352434EBF89CBBE6F295CB0F6D1429F ???????? Thawte Code Signing CA - G2 Korea link
52397DFB795037D36DC501C822C90E9D Positive Networks VeriSign Class 3 Code Signing 2004 CA USA link
677F60229410AE57B6C74B9F458441EC ?????????? Thawte Code Signing CA - G2 China link
55EFE24B9674855BAF16E67716479C71 S2BVISIO BELGIQUE SA VeriSign Class 3 Code Signing 2010 CA Belgium link
332C0A9CF20FB48FCAA51A176E980517 Guangzhou ShuLian Software Technology Ltd VeriSign Class 3 Code Signing 2004 CA China link
7FC80871A66FE6B07D8CFCA5AF93014D Tencent Technology(Shenzhen) Company Limited VeriSign Class 3 Code Signing 2004 CA China link
55DF07DDF24EB6ADB44540CEBD2ADFB0 Jinan WanMing technology Co. VeriSign Class 3 Code Signing 2010 CA China link
629D120DD84F9C1688D4DA40366FAB7A Delta Controls VeriSign Class 3 Code Signing 2009-2 CA Canada link
2CCAC0204E26AFC893F8A3DB73E01C70 Shenzhen QVOD Technology Co. VeriSign Class 3 Code Signing 2010 CA China link
00A3C516AB894D9EBCBB812E811C76591C Gamsoft Sistemas de Informa̤̣o Ltda COMODO Code Signing CA 2 Brazil link
7D824BA1F7F730319C50D64C9A7ED507 joaweb Thawte Code Signing CA Korea link
39040174F7807BD19E4F936F70C1AC94 The Department of Education and Training Thawte Code Signing CA Australia link
00DD7926EC7EBD87EE1E66929059DF2478 Windowlink Ltd UTN-USERFirst-Object UK link
31350636B3ECDCE88F80E18A363DD640 Tavultesoft Pty Ltd VeriSign Class 3 Code Signing 2004 CA Australia link
41908564ADF2B8576F870159DA77C2AB ?????????? Thawte Code Signing CA - G2 China link
298DED2DF17D40ADE7A412FB3BC9DE7A Shenzhen Paojiaosizhi Information Technology Co. VeriSign Class 3 Code Signing 2010 CA China link
4BF1D68E926E2DD8966008C44F95EA1C Technical and Commercial Consulting Pvt. Ltd. VeriSign Class 3 Code Signing 2010 CA India link
1BE41B34127CA9E6270830D2070DB426 ???????????? Thawte Code Signing CA - G2 CN link
00E86F46B60142092AAE81B8F6FA3D9C7C Syncode Sistemas e Tecnologia Ltda COMODO Code Signing CA 2 Brazil link
337B28C78A7BBD3DB1096E48C547987A 114kti Co VeriSign Class 3 Code Signing 2009-2 CA Korea link
5E6DDC87375082845814F442D1D82A25 Realtek Semiconductor Corp VeriSign Taiwan link
211F593FC22BE0D9BAA634CBB188F8C6 Abingerdale VeriSign Class 3 Code Signing 2009-2 CA UK link
009B108B8A1DAA0D5581F59FCEE0447901 CharacTell Ltd UTN-USERFirst-Object USA link
0B0D17EC1449B4B2D38FCB0F20FBCD3A WEBPIC DESENVOLVIMENTO DE SOFTWARE LTDA COMODO Code Signing CA 2 Brazil link
0092D9A1B584C70F5D641485C9FA28E466 Ad Shows USERTrust Russia link
4B7CBE4035C2EC Eagle Point Software Corporation Go Daddy Secure Certification Authority USA link


Compromised developments
Serial Num Publisher Issuer Country Sample
72B0E97C12B0015B4628683AFCE865D7 SoftWindow Thawte Code Signing CA Korea link
64639B63FF39A20E8B9C092C573DBE69 IObit Information Technology VeriSign Class 3 Code Signing 2004 CA China link
784F226B45C3BD8E4089243D747D1F59 FSPro Labs USERTrust Russia link


Fraudulents
Serial Num Publisher Issuer Country Sample
3E1656DFCAACFED7C2D2564355698AA3 John W.Richard COMODO Code Signing CA 2 USA link
724DB586248083F9261CE3920AAFFA6D Platte International Limited Thawte Code Signing CA UK link
00BC32BBE5BBB4F06F490C50651CD5DA50 Remedica Medical Education and Publishing Ltd COMODO Code Signing CA 2 UK link
0083F68FC6834BF8BD2C801A2D1F1ACC76 Helpful Technologies COMODO Code Signing CA 2 USA link
5068F99BEE29874933CED57D1FC92E07 Silver Arrow Color Labs. Thawte Code Signing CA Taiwan link
00F57DF6A6EEE3854D513D0BA8585049B7 smnetworks eBiz Networks Certificate Services Korea link
06658B28DCA3E5AF38E72F439F229E08 Dmitry Shesterin VeriSign Class 3 Code Signing 2010 CA Canada link
6B6DAEF5BE29F20DDCE4B0F5E9FA6EA5 Calibration Consultants USERTrust (Code Signing) USA link
1CB2D523A6BF7A066642C578DE1C9BE4 Shenzhen Hua?nan Xingfa Electronic Equipment Firm Thawte Code Signing CA - G2 China link
35F0F8B68C0BDA4CCD26C0C8F702327D SMART ADV LTD Thawte Code Signing CA UK link
5AAFD7D083DE25436C8AC75524CAD93C Changsha Hongfu Environmental Protection Technology Co. VeriSign Class 3 Code Signing 2010 CA China link


Shell company
Serial Num Publisher Issuer Country Sample
00AA146BFF4B832BDBFE30B84580356763 Yancheng Peoples Information Technology Service Co. WoSign Code Signing Authority China link
01000000000129ABE6B030 Beijing XiTao JuYuan Technology Company Limited GlobalSign ObjectSign CA China link
4FDA1E121B61ADECA936A6AEBE079303 Laizhou wanlei stone Co. WoSign Code Signing Authority China link
328BDCC0F679C4649147FBB3EB0E9BC6 Nooly Systems LTD USERTrust (Code Signing) Belize link
03EDF0A4162316E93034A1C850F75A7C Aksis Bili?im Teknolojileri Bilgi ??lem ve ?leti?im Tic. Ltd. ?ti. DigiCert High Assurance Code Signing CA-1 Turkey link


Unidentified
Serial Num Publisher Issuer Country Sample
1121229A985F75387051356DF8070885AFDF ???????????? GlobalSign CodeSigning CA - G2 China link
5F78149EB4F75EB17404A8143AAEAED7 ???????????? VeriSign Class 3 Code Signing 2010 CA China link
0166B65038D61E5435B48204CAE4795A TOLGA KAPLAN COMODO Code Signing CA 2 Turkey link
77E0117E8B2B8FAA84BED961019D5EF8 Reiner Wodey Informationssysteme VeriSign Class 3 Code Signing 2010 CA Germany link
5C7097E710751D834FD3ABFB3A627B26 mdeleij@gmail.com(Open Source Developer) Certum Level III CA Germany link
0628DD748E16DD3ACBD8C363D7C41626 (Open Source Developer) Certum Level III CA China link
00F62C9C4EFC81CAF0D5A2608009D48018 ?????????????? WoSign Code Signing Authority China link
06A14B11F721C57A5279072098699A58 ? ???????????? Thawte Code Signing CA - G2 Korea link
3A6CCABB1C62F3BE3EB03869FA43DC4A ?????????????? WoSign Code Signing Authority China link
09ED3F21ED56631F652C1584EAA3D625 ???? Thawte Code Signing CA - G2 Korea link
3E349087632858C7D677C797F0B6C68A ????(?) Thawte Code Signing CA Korea link
3BC0DD5FCB734879BFDDCCA0C7B71A17 ???????????? Thawte Code Signing CA - G2 China link
4CA5A3387542358C8644D0B3BB244FB3 ?????????????? WoSign Code Signing Authority China link
6FCF7E45FEB4582CE934D5E0DDF3BFF0 ????? Thawte Code Signing CA - G2 Korea link
00FE9404DC73CF1C2BA1450B8398305557 ????????????????? WoSign Code Signing Authority China link
5A4B768ADFEC8CD7397111B30B86AF81 ???????????? WoSign Code Signing Authority China link
00CC8D902DA36587C9B2113CD76C3C3F8D ???????????????? WoSign Code Signing Authority China link
297FB0DB26EF90EAC6CCBC7DC4DAE565 (?)?? Thawte Code Signing CA - G2 Korea link
6954D7C331799CE5633F73847D115BB5 ???? ???? Thawte Code Signing CA - G2 Korea link