Code signing is a solution to verify the integrity of software and its publisher’s identity,but it can be abused by malware to look benign. This work performs a systematic analysis of Windows Authenticode code signing abuse, evaluating the effectiveness of existing defenses by certification authorities. We build an infrastructure that automatically analyzes signed malware, classifies it into operations, and produces a blacklist of malicious certificates. We evaluate it on 350~K malware samples from 2006-2015. Our analysis shows the constant increase of signed malware over time and that CA defenses such as identity checks and revocation are not currently effective. Up to 97% of the signed malware uses CA-issued certificates and only 15% of those certificates are revoked. Our generated blacklist is 9x larger than current ones. We analyze the code signing infrastructure of the largest operations and show how they evolve over time, using multiple identities and leveraging the lack of CA synchronization to move from one CA to another. We also identify a design issue in Authenticode where timestamped signed malware successfully validates even after the revocation of their code signing certificate. We propose hard revocations as a solution.

Joint work with Srdjan Matic, Richard Rivera, Juan Caballero.