Can you trust signed code? No, you can't!

Can you trust signed code? No, you can't!

Summary: A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

SHARE:
TOPICS: Security
19

A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

According to Jarno Niemelä of F-Secure, there are literally tens of thousands of instances of malware in the wild that are signed.

How does this happen? There are plenty of ways to get a certificate into malware:

  • Copying Certificate information from clean files
  • Selfsigned certs with fake name
  • MD5 forgery
  • Get certified and be evil
  • Get certificate with misleading name
  • Get certificate with misleading name
  • Find someone to sign your stuff for you
  • Steal a certificate
  • Infect developers system and get signed with software release

Bottom line, the certificate is worth the paper it's printed on, so be careful what you go and install! It's a jungle out there!

PDF of the report can be found here.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • And that's what Linux Repos are for.

    P.S.
    The Ed Bott story was bo gus.
    The product in question didn't even have a GPG Key assigned to it.
    Not a vendor worth working with IMO.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • How so?

      @Dietrich T. Schmitz, Your Linux Advocate <br><br>Still proves Linux and it's repos aren't has impenetrable as you make it seem. Ed's blog was a valid entry.
      The one and only, Cylon Centurion
      • While nothing is impenetrable Linux repos are the closest you can get to it

        The Ed Bott story was about a software mirror which carried a compromised file, it was not about a compromised repository.
        OS Reload
      • RE: Can you trust signed code? No, you can't!

        @NStalnecker
        You have much to learn little weed hopper.
        [i]"Man who catch fly with one chopstick can do anything."[/i]
        Get the facts. Jack. ;)
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • re: How so?

        @NStalnecker

        [i]Ed's blog was a valid entry. [/i]

        Ed's blog was pants-on-fire FUD. He *way* overplayed his hand. The only people who put "Linux" and "impenetrable" in the same sentence are people aching to see Linux getting taken down a notch.

        Ed equates Linux not being impenetrable with the Swiss cheese that was XP in 2003. That's as pants-on-fire as it gets.




        :)
        none none
      • I don't have anything to learn.

        @DTS

        Not from you anyway. Truth is, Linux can be picked apart just like any other operating system. And no, repositories can't prevent stupid, nor are they impenetrable.
        The one and only, Cylon Centurion
    • RE: Can you trust signed code? No, you can't!

      @Dietrich T. Schmitz, Your Linux Advocate
      No thanks, I can't be locked into just one repository.
      Loverock Davidson
      • RE: Can you trust signed code? No, you can't!

        @Loverock Davidson

        I knew it, it would not last long. While we agree about AT&T; you have been sipping WAY too much Kool-Aid.

        In addition to the Ubuntu repositories, I also have some at sourceforge and launchpad. So, there is no way I am locked into only one repository.

        Sorry, try again. For a moment, I thought that this was an `Ed Bott` article. AKH, I thought you knew better?
        fatman65535
    • Sure worked great here.

      http://www.zdnet.com/blog/hardware/how-much-more-malware-is-lurking-in-linux-official-repositories/8615?tag=content;search-results-rivers
      John Zern
  • In a proper repository the signatures are independent from the packages

    If the MD5 or SHA sums are available from different alternative sources then there's no way you can forge them.
    OS Reload
  • My rule of thumb:

    Trust nothing. Malware today is such a runaway phenomenon, that it is impossible to trust anything anymore.

    I never install anything without first testing it on a non networked PC I have set up. And DEFINITELY DO NOT install browser extensions outside of the expected few.
    The one and only, Cylon Centurion
  • In a proper repository the signatures are independent from the packages

    If the MD5 or SHA sums are available from different alternative sources then there's no way you can forge them.
    OS Reload
  • Adrian ...

    Most people I know say you should not trust unsigned code, that does not translate into trust signed code.
    mrlinux
  • RE: Can you trust signed code? No, you can't!

    Most browsers with warn you about the signed code even if it's directly from Microsoft. IE especially, other's don't look at signed code and rely on your virus blocker to filter the site.
    Maarek
  • RE: Can you trust signed code? No, you can't!

    The bigger issue is that people don't understand certificates.
    Loverock Davidson
    • RE: Can you trust signed code? No, you can't!

      @Loverock Davidson

      True, unfortunately. And we see a lot of that misunderstanding reflected in the posts commenting on this article, too!

      The whole point of a cert is NOT that you can "trust the signed code". Rather it moves the question of trust from the code to the company AND the certificate authority.

      That is, if the signing is properly done, then you can trust the code IF you a) trust the company and b) trust the certificate authority. For it is the certificate authortity who, among other things, guarantees that the company really is who they say they are before they give them the cert.

      But alas, not all certificate authorities even do this! But VeriSign does. So does any reseller of their certs.

      The other extreme, of course, is self-signed certs, which really give no additional confidence: you cannot even count on the company being who they say the are with a self-signed cert.
      mejohnsn
  • RE: Can you trust signed code? No, you can't!

    Hm Thats Scary, Mal-Ware Virus & Trojan writers are getting waaay to smart. Thats friggin scary. Didn't see this one coming. So how am Ito know whats secure safe to install now? I read certificates at times.
    Synate.Deszeld
  • Another poorly implemented "feature"

    Just like it took Apple to redo video caling even though people have correctly pointed out it's been more or less available for at least several years, someone will have to re-do software validation. Not saying it will be Apple, but someone.

    People are increasingly demanding easy to use, and easy to understand features that work correctly, and that a non-technical consumer can manipulate to accomplish what a device or piece of software was intended for.

    Certificates are a Techie joke. Face it, they are left over from the ealy days of the web when there was maybe some claim to assurance, but they have never been easy to understand. Seriously: hashes, certificates, sums? A joke indeed.
    croberts
  • RE: Can you trust signed code? Yes, you can!

    But only to the extent that you can trust whoever signed the code. If you're getting the public key to verify the code in question from the same site you downloaded the code itself, you have a potential problem. If you get the key from a trusted 3rd party it is less like to represent compromised code.
    JDThompson