'

Can you trust signed code? No, you can't!

A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

A common misconception is that if a piece of code, such as an application, has been signed, it's clean and safe to install. Wrong!

According to Jarno Niemelä of F-Secure, there are literally tens of thousands of instances of malware in the wild that are signed.

How does this happen? There are plenty of ways to get a certificate into malware:

  • Copying Certificate information from clean files
  • Selfsigned certs with fake name
  • MD5 forgery
  • Get certified and be evil
  • Get certificate with misleading name
  • Get certificate with misleading name
  • Find someone to sign your stuff for you
  • Steal a certificate
  • Infect developers system and get signed with software release

Bottom line, the certificate is worth the paper it's printed on, so be careful what you go and install! It's a jungle out there!

PDF of the report can be found here.