Who Do I Trust? Me, That's Who...

Malware using digital signatures to dupe endpoints has been on the rise. We saw this tactic pick up momentum with the rise of attacks like Stuxnet, Duqu, and Flame (to name a few). As the problem continues to grow, it affects both enterprises and the companies whose digital signatures are hijacked and used for evil. This is especially a problem when the trusted signer is a well-known organization, increasing the likelihood that files bearing their signature will be trusted. We've all seen the headlines...

It happened with Microsoft. And Adobe. And the list goes on...

Spear phishing email attacks, which remain the leading point of entry for advanced malware in enterprises, are more frequently carrying attachments that are digitally signed. This is bad news for enterprises with heavy reliance on anti-virus or security solutions that trust (whitelist) files entering the network because they are digitally signed. Even in the case of files with invalid digital signatures, the threat can persist because some solutions won’t even bother to check if the certificate has been revoked.

We are also seeing more malware that includes clean files that are digitally signed. These can be chunks of code ripped off from other programs or clean auxiliary files belonging to other products or the OS itself, all signed with valid digital signatures.

So now not only are we concerned with malicious files themselves being digitally signed, we also now have to contend with clean digitally signed files being used for evil purposes.

Korplug a.k.a. PlugX is an example of malware that does this,

documented before by Symantec and Trend Micro.

Hardly a week goes by where we don't see digital signatures being used (or abused) by malware in some fashion.

Taking a look at a sample from a previous blog post, we can see that this malware also had similar tricks up its sleeve.


Figure 1. Digital signature details for the malware .DLL file

When the main dropper was executed, two files were dropped, including a .DLL.

In Figure 1, we can see the .DLL is signed with a forged digital signature (pretending to be from Kaspersky).

Not exactly a new technique, we saw Zeus do something similar a couple years back. But it's interesting to see that malware creators are still trying to get by with an invalid digital signature from a security vendor nonetheless.

The malware also dropped a file named "QQLive.exe." This file is also digitally signed with a valid digital signature from China-based Tencent Technology, creators of QQ, a very popular chat service across Asia with an estimated 600+ million users.


Figure 2. Valid digital signature for QQLive.exe

As it turns out, the QQLive.exe dropped is clean and was included to facilitate loading the malware’s core .DLL.

By itself, the file poses no risk, but when this QQLive.exe is used to load the .DLL, it becomes a catalyst for infection.

Comparing the malware’s included QQLive.exe to an available download from the QQ website, it’s deja vu.


Figure 3. Malware's QQLive on left, downloaded QQLive app on the right

We contacted Tencent to inform them of malware using code and digital signatures from their application. They confirmed the validity of the digital signature and also acknowledged other reports of malware creators using code from QQ in malicious applications.

Why the malware creators picked QQ could be due to its almost ubiquitous presence in the region, so QQ software artifacts on a system might not seem that unusual.

As of this writing Tencent has not revoked the certificate.

While this may seem slightly unnerving, we should keep in mind that (to our knowledge) the malware creators haven’t actually signed malware with the Tencent signature, but they are using it in a way that increases the risk level of environments into which it finds its way.

While digital signatures are supposed to help establish "trust" and bolster security, an inconvenient truth is, in today's threat environment, it's getting more and more difficult to determine whom to actually trust...