Welcome to the new ZDNet! Give feedback or learn more about our updated design here. Or, return to the classic view.

Can you trust signed code? No, you can't!

A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

According to Jarno Niemelä of F-Secure, there are literally tens of thousands of instances of malware in the wild that are signed.

How does this happen? There are plenty of ways to get a certificate into malware:

  • Copying Certificate information from clean files
  • Selfsigned certs with fake name
  • MD5 forgery
  • Get certified and be evil
  • Get certificate with misleading name
  • Get certificate with misleading name
  • Find someone to sign your stuff for you
  • Steal a certificate
  • Infect developers system and get signed with software release

Bottom line, the certificate is worth the paper it's printed on, so be careful what you go and install! It's a jungle out there!

PDF of the report can be found here.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All