This presentation forms part of the CTA's Threat Intelligence Practitioners' Summit
Thursday 3 October 11:00 - 11:30, Small Talks room
Samir Mody (K7)
Recently, a representative of Microsoft's Privacy Security and Trust Engineering team suggested that the pervasive use of digital signatures would make the ecosystem more secure. We're not so sure.
Digitally signed malware (and PUAs) have been prevalent for some time now. Threat actors know that the use of code signing certificates can still be effective in bypassing behavioural (EDR/XDR/HIPS) and even static protection mechanisms.
Digital signatures certify that a file has not been tampered with, alongside identifying the source thereof with 100% confidence. Thus, digital signatures have traditionally conferred an element of trust to application executables which has indeed been useful in mitigating FPs. However, flaws exist in this assumption of trust.
A Certificate Authority (CA) is expected to have done its due diligence before issuing code signing certificates, which aren't free. Since there is a cost attached, one makes a not unreasonable assumption that code certificates aren't trivial to obtain. Ironically, it is this cost per certificate which renders digital signatures less trustworthy, given the conflict of interest vis-a-vis the CA's core business, i.e. CAs have a financial incentive to issue as many certificates as possible.
Furthermore, it has been assumed that bona fide users of code signing certificates would have a secure, sanitised build environment to prevent their abuse. The remote theft of certificates and the seeming ubiquity of supply chain attacks should have put paid to this assumption.
One more nail in the coffin would be the recent trend of adding arbitrary certificates to the Windows Cert Store's Root of Trust list used by Microsoft’s crypto APIs during verification. The adversary can now be its own trusted CA!
In this presentation we shall deep dive into the categorical, evidence-based nature of the use of digital signatures in recent malware. We shall investigate the relative efficacy of CA Certificate Revocation Lists versus industry sharing of specific certificate metadata. Unless we forge effective verification and trust solutions, the security industry may well have to treat all signed application files as essentially unsigned, which could lead to an increase in FPs. How then would pervasive digital signing increase ecosystem security?
![]() |
Samir Mody Samir Mody graduated from the University of Oxford in 2000 with a First-Class Master’s degree in chemical engineering, economics and management. He spent over nine years at Sophos UK, the final three as Threat Operations Manager of SophosLabs. Since August 2010 he has been running K7 Labs in Chennai, India. Samir has actively contributed to the IEEE Taggant System project and other industry collaborations such as AMTSO and CTA. He has co-authored and/or presented papers and participated in panel discussions at various international security conferences (VB, AVAR, EICAR). Samir's interests include reading (philosophy, politics, history, literature and economics), sport and classical music. |
Back to VB2024 conference page