One-stop counterfeit certificate shops for all your malware-signing needs
Certificates registered in names of real corporations are surprisingly easy to come by.
The Stuxnet worm that targeted Iran's nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.
In many cases, the certificates are required to install software on Windows and macOS computers, while in others, they prevent the OSes from displaying warnings that the software comes from an untrusted developer. The certificates also increase the chances that antivirus programs won't flag previously unseen files as malicious. A report published by threat intelligence provider Recorded Future said that starting last year, researchers saw a sudden increase in fraudulent certificates issued by browser- and operating system-trusted providers that were being used to sign malicious wares. The spike drove Recorded Future researchers to investigate the cause. What they found was surprising.