Want My Autograph? The Use and Abuse of Digital Signatures by Malware

Technical paper

Encryption has always been a part of malware, from basic ROT13 string encoding to multi-layered packing algorithms. However, malware authors have discovered ways to exploit the existing strengths and weaknesses of public key cryptography in addition to their home-grown crypto. With the many layers that make up the Public Key Infrastructure (PKI) – certificate issuance, verification, revocation and all of the protocols and software that go in between – scammers have several weaknesses at their fingertips to abuse the overall system. Cheap SSL certificates with automated issuance procedures facilitate the fast and anonymous set-up of rogue e-commerce sites.

Moreover,malware authors are able to pass their trojans off as binaries from a legitimate source, using valid or invalid signatures, as most users simply click through the related security warnings.

Making matters worse, much of the endpoint software consuming digitally signed content has its own weaknesses, including off-by-default certificate revocation checking mechanisms. In addition to abuse, malware authors are also exploiting the strengths of public key cryptography for uses including secure botnet command and control.

This paper discusses these abuses of digital signatures and possible approaches to turn the criminals’ investment in their fraudulent reputation into additional protection mechanisms.

This paper was presented at Virus Bulletin in Vancouver, 2010


The principle of a signature serves a very useful purpose – it is a definitive mark – a guarantee that an object has been created, approved or validated by some entity. Digital signatures by design serve the same purpose – to authoritatively bind an identity to some data, be it a web address, executable software or otherwise. While these signatures fundamentally rely on public key cryptography mathematics, there are many file formats, network protocols, software components and business entities which make up the PKI to support the consumption of digital signatures. As with any complex multi-layered system, individual components as well as interactions between components can have weaknesses – which criminals are happy to exploit. Download now


Mike Wood

Mike Wood is a Threat Researcher at SophosLabs in Vancouver, Canada.

download Download our free Virus Removal Tool
Find what your antivirus missed