Hardware 2.0

Adrian Kingsley-Hughes

Can you trust signed code? No, you can't!

By Adrian Kingsley-Hughes | June 21, 2010, 6:52am PDT

A common misconception is that if a piece of code, such as an application, has been signed, it’s clean and safe to install. Wrong!

According to Jarno Niemelä of F-Secure, there are literally tens of thousands of instances of malware in the wild that are signed.

How does this happen? There are plenty of ways to get a certificate into malware:

Copying Certificate information from clean files
Selfsigned certs with fake name
MD5 forgery
Get certified and be evil
Get certificate with misleading name
Get certificate with misleading name
Find someone to sign your stuff for you
Steal a certificate
Infect developers system and get signed with software release

Bottom line, the certificate is worth the paper it’s printed on, so be careful what you go and install! It’s a jungle out there!

PDF of the report can be found here.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

iOS 4 ... All you need to know!

iOS 4 - Can you upgrade YOUR iPhone/iPod touch?

Topics

Certificate, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Full Bio
Disclosure
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Talkback Most Recent of 19 Talkback(s)

Follow via:: RSS; Email Alert

And that's what Linux Repos are for.

P.S.
The Ed Bott story was bo gus.
The product in question didn't even have a GPG Key assigned to it.
Not a vendor worth working with IMO.
Dietrich T. Schmitz, ~ Your Linux Advocate
21st Jun 2010
- Reply to
- Flag
How so?

@Dietrich T. Schmitz, Your Linux Advocate

Still proves Linux and it's repos aren't has impenetrable as you make it seem. Ed's blog was a valid entry.
Cylon Centurion
21st Jun 2010
- Reply to
- Flag
While nothing is impenetrable Linux repos are the closest you can get to it

The Ed Bott story was about a software mirror which carried a compromised file, it was not about a compromised repository.
OS Reload
21st Jun 2010
- Flag
RE: Can you trust signed code? No, you can't!

@NStalnecker
You have much to learn little weed hopper.
"Man who catch fly with one chopstick can do anything."
Get the facts. Jack.
Dietrich T. Schmitz, ~ Your Linux Advocate
21st Jun 2010
- Flag
re: How so?

@NStalnecker

Ed's blog was a valid entry.

Ed's blog was pants-on-fire FUD. He *way* overplayed his hand. The only people who put "Linux" and "impenetrable" in the same sentence are people aching to see Linux getting taken down a notch.

Ed equates Linux not being impenetrable with the Swiss cheese that was XP in 2003. That's as pants-on-fire as it gets.
none none
21st Jun 2010
- Flag
I don't have anything to learn.

@DTS

Not from you anyway. Truth is, Linux can be picked apart just like any other operating system. And no, repositories can't prevent stupid, nor are they impenetrable.
Cylon Centurion
21st Jun 2010
- Flag
RE: Can you trust signed code? No, you can't!

@Dietrich T. Schmitz, Your Linux Advocate
No thanks, I can't be locked into just one repository.
Loverock Davidson
21st Jun 2010
- Reply to
- Flag
RE: Can you trust signed code? No, you can't!

@Loverock Davidson

I knew it, it would not last long. While we agree about AT&T; you have been sipping WAY too much Kool-Aid.

In addition to the Ubuntu repositories, I also have some at sourceforge and launchpad. So, there is no way I am locked into only one repository.

Sorry, try again. For a moment, I thought that this was an `Ed Bott` article. AKH, I thought you knew better?
fatman65535
21st Jun 2010
- Flag
Sure worked great here.

http://www.zdnet.com/blog/hardware/how-much-more-malware-is-lurking-in-linux-official-repositories/8615?tag=content;search-results-rivers
John Zern
21st Jun 2010
- Reply to
- Flag
In a proper repository the signatures are independent from the packages

If the MD5 or SHA sums are available from different alternative sources then there's no way you can forge them.
OS Reload
21st Jun 2010
- Reply to
- Flag
My rule of thumb:

Trust nothing. Malware today is such a runaway phenomenon, that it is impossible to trust anything anymore.

I never install anything without first testing it on a non networked PC I have set up. And DEFINITELY DO NOT install browser extensions outside of the expected few.
Cylon Centurion
21st Jun 2010
- Reply to
- Flag
In a proper repository the signatures are independent from the packages

If the MD5 or SHA sums are available from different alternative sources then there's no way you can forge them.
OS Reload
21st Jun 2010
- Reply to
- Flag
Adrian ...

Most people I know say you should not trust unsigned code, that does not translate into trust signed code.
mrlinux
21st Jun 2010
- Reply to
- Flag
RE: Can you trust signed code? No, you can't!

Most browsers with warn you about the signed code even if it's directly from Microsoft. IE especially, other's don't look at signed code and rely on your virus blocker to filter the site.
Maarek
21st Jun 2010
- Reply to
- Flag
RE: Can you trust signed code? No, you can't!

The bigger issue is that people don't understand certificates.
Loverock Davidson
21st Jun 2010
- Reply to
- Flag