Can you trust signed code? No, you can't!

Summary:A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

According to Jarno Niemelä of F-Secure, there are literally tens of thousands of instances of malware in the wild that are signed.

How does this happen? There are plenty of ways to get a certificate into malware:

  • Copying Certificate information from clean files
  • Selfsigned certs with fake name
  • MD5 forgery
  • Get certified and be evil
  • Get certificate with misleading name
  • Get certificate with misleading name
  • Find someone to sign your stuff for you
  • Steal a certificate
  • Infect developers system and get signed with software release

Bottom line, the certificate is worth the paper it's printed on, so be careful what you go and install! It's a jungle out there!

PDF of the report can be found here.

Topics: Security

About

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.