loader gif

Alphabet's Chronicle Explores Code-Signing Abuse in the Wild

Alphabet's Chronicle Explores Code-Signing Abuse in the Wild (Malware and Vulnerabilities)

A new analysis highlights the prevalence of malware signed by certificate authorities and the problems with trust-based security. Researchers with Chronicle, the cybersecurity company and Alphabet subsidiary, today published an analysis of its investigation into the trend of signed malware being exploited in the wild. They limited this project to Windows PE Executable files, filtered out samples with fewer than 15 aggregate detections, and "aggressively" filtered out grayware files to determine the number of malware samples each CA was responsible for signing. CAs that signed certificates of 100+ malware samples accounted for nearly 78% of signed malware uploaded to VirusTotal, Chronicle reports. For example, COMODO RSA Code Signing CA, which has the most samples at 1,775, has almost 3.5 times the amount of Thawte SHA256 Code Signing CA, which has the next-highest number, at 509 signed malware samples. More than 20% of malware samples had their certificates revoked at the time Chronicle's blog post published, a sign CAs are cracking down.

loader gif