Malware certificate signing.

[GTP]

Excerpt from Security Now! podcast #636

"The researchers found that at least 34 anti-virus products failed to check the certificate's
validity, allowing malicious code to run on the system.
To determine if malformed signatures can affect the anti-virus detections they downloaded 5
random unsigned ransomware samples that almost all anti-virus programs detected as
malicious. They then took two expired certificates that previously had been used to sign both
legitimate software and in-the-wild malware and used them to sign each of the five ransomware
samples. And they found that many anti-virus products failed to detect the malware as
malicious...."

https://thehackernews.com/2017/11/malware-digital-certificate.html

Dan Goodin lists some of the AV's that failed here.

https://arstechnica.com/information...are-flourished-before-stuxnet-and-still-does/

@Emsisoft @UmbraEmsisoft how does Emsisoft handle this?

 

[ComputerRepairTech]

Where is bitdefender? Im actually a little surprised that avira is in the list.

Edit: Oh this is for ransomware, i wonder if executed if it would have actually succeeded in encrypting with malware bytes pro, seems unlikely

 

[LostBit]

That's why I use a layered security model, including an anti-executable in it.
Just don't rely on AV or AM only.

 

[GTP]

Where is bitdefender? Im actually a little surprised that avira is in the list.

Edit: Oh this is for ransomware, i wonder if executed if it would have actually succeeded in encrypting with malware bytes pro, seems unlikely

Yeah, I think the "Malwarebytes" mentioned is the free version.
Even though "the 34 AV's" failed to detect them it might be a different story when it comes to actual execution?

 

[Umbra]

I don't see Bit Defender mentioned as failing to detect them, so i guess EAM isn't subject to it. i will ask to our Malware Analysis Team

Yeah, I think the "Malwarebytes" mentioned is the free version.
Even though "the 34 AV's" failed to detect them it might be a different story when it comes to actual execution?

indeed, in our case the Behavior Blocker should react on the execution.

 

[Umbra]

@Barcelona so about Emsisoft handling this:

We handle it by blacklisting digital certificates used by malware.
Windows handles validation of digital signatures not AVs.

We'd cause tons of problems if we started trying to validate certificates, because older software would suddenly no longer be trusted, even though it is safe.

 

[Your PCMD]

Windows handles validation of digital signatures not AVs.

I knew it. Windows spreads malware. Who'd have thunk it?

@UmbraEmsisoft can we get the AV to blacklist Windows?

 

[Krynn72]

I knew it. Windows spreads malware. Who'd have thunk it?

@UmbraEmsisoft can we get the AV to blacklist Windows?

WARNING Your computer is infected with Windows. Press Next to clean your computer

*press next*
*reboots*

Welcome to Ubuntu 17!

 

[Alexey]

They then took two expired certificates that previously had been used to sign ... in-the-wild malware

I sort of wonder where did they got private keys for these? My understanding is that you need a private key to sign the certificate, and only the original malware "vendor" has it?

 

[LostBit]

I sort of wonder where did they got private keys for these?

I wonder where, how, who, jeez!!! Getting those keys require an incredible amount of resources, of all kind.

 

[GTP]

I sort of wonder where did they got private keys for these? My understanding is that you need a private key to sign the certificate, and only the original malware "vendor" has it?

I wonder where, how, who, jeez!!! Getting those keys require an incredible amount of resources, of all kind.

It's all explained in the podcast if you interested. Or you can read the shownotes at grc.com/securitynow

 

[Alexey]

I wonder where, how, who, jeez!!! Getting those keys require an incredible amount of resources, of all kind.

Well, they did not have any actual private keys, he says at around 0:19:30 in the podcast. They just attached signatures which were invalid for their respective new binaries. So they did not actually create valid signatures.

The wording

They then took ... certificates ... and used them to sign ... ransomware

is therefore incorrect. They did not do the actual signing, they just appedned someone else's signature to a ransomware module. They never produced a valid signature.

That's perfectly understandable then. The AV software did not work even with these though.

 

[LostBit]

Well, they did not have any actual private keys, he says at around 0:19:30 in the podcast. They just attached signatures which were invalid for their respective new binaries. So they did not actually create valid signatures.

Thank you for saving me the time I didn't have yesterday to listen to it.
Now things are clearer to me when the bad guys created invalid signatures.

 

[papashango]

What is the consensus on the best solution though?

 

[GTP]

What is the consensus on the best solution though?

Use one of the AV's that DO stop the shenanigans! Emsisoft would be my first choice!
As with anything you do on your computer, it comes down to common sense. We all know that nothing can protect you from everything, (unless you unplug from the wall socket).
There are other mitigations you can put in place that will also help.

 

[ComputerRepairTech]

best solution in my opinion would be something like bitdefender + malware bytes pro for a normal every day user. Emsisoft still asks too many questions for my taste and malware bytes pro is fine for normal every day users....power users may run into some performance hiccups while doing excessive things.

 

[Umbra]

Emsisoft still asks too many questions for my taste

From the behavior blocker? because normally it should be set on "auto resolve with notification" by default, so you shouldn't have much of those prompts.
also you have settings for each module to make them quiet.

 

[GTP]

best solution in my opinion would be something like bitdefender + malware bytes pro for a normal every day user. Emsisoft still asks too many questions for my taste and malware bytes pro is fine for normal every day users....power users may run into some performance hiccups while doing excessive things.

What "questions?" I have a huge install base now and no one complains about "questions?"
It takes about 10 seconds to set it to auto resolve with/without notification.
Just out of curiosity, have you ever actually installed Emsisoft?

 

[ComputerRepairTech]

What "questions?" I have a huge install base now and no one complains about "questions?"
It takes about 10 seconds to set it to auto resolve with/without notification.
Just out of curiosity, have you ever actually installed Emsisoft?

What are you talking about? the behavior blocker doesnt have an auto resolve without notification and even if it did it would kill too many apps to use. Hell just the other day it literally spammed me like 20 times for a twitch app update.

 

[GTP]

What are you talking about? the behavior blocker doesnt have an auto resolve without notification and even if it did it would kill too many apps to use. Hell just the other day it literally spammed me like 20 times for a twitch app update.

Don't know what I was thinking, I meant "Alert."
Hasn't killed anything I've installed, either on my own systems or clients.
I have around 200 installs (including on my own PC's) of Emsisoft Antimalware and I have had no one complain about being "spammed" about anything. Gamers, businesses, residential, all have no problems.
My clients download and use dozens of apps and programs and still don't get spammed.
Is the "twitch app update" from a legitimate source or one found on the internet at random?
What do the messages say?

Has anyone else that installed the twitch app update and use Emsisoft been "spammed" "like 20 times" with messages when installing it?