Sunday, April 28, 2024
Latest:

BelchSpeak

I can't believe that came from your mouth!

CrimeCyberStupid PeopleTwitter

Symantec Still TimeStamping Malware

Dr. Jones

Code signing is dead. Long live code signing.

You make software that you want people to trust enough to install it. So you go to a Certificate Authority, pay anywhere between $150 to $1000 to prove your identity, validate that your company should be trusted, promise that your software won’t hurt anyone and the CA will grant you a certificate of trust. This certificate is cross-validated by another CA and a time-stamping authority provides its own stamp of approval and agrees that yes, if the CAs that say this is a valid binary, then it was signed on this date, and this certificate will be good for this number of years. Go ahead and install the software. It’s legit.

The problem is that malware authors want to fool users into installing their software too. So they also go to Certificate Authorities, claim that their binaries are legit, and using cash stolen from credit cards or ill-gotten gains from ransaomware, they purchase a cert. What is a $250 fee if they can fool thousands into installing their malware that generates thousands of dollars in ransomware?

And to make matter worse, a prominent AntiVirus company, Symantec, serves as a time-stamping authority to validate signed binaries. If only they possessed, oh, I don’t know, an Antivirus engine that could scan the binaries to see if they were malware before they accepted cash payments to timestamp the binaries??

Symantec picked up on my tweet and had the gall to respond that I should invest in more software to ensure that malware that they timestamp and certify as legitimate does not harm my systems.

My response:

Hey Symantec, stop taking cash from cyber criminals to validate their malware code signing. is that too much to ask?

Dr. Jones

Do not talk about fight club. Oops.

Leave a Reply

Your email address will not be published. Required fields are marked *