Abstract
Code-signing PKI ecosystems are vulnerable to abusers. Kim et al. reported such abuse cases, e.g., malware authors misused the stolen private keys of the reputable code-signing certificates to sign their malicious programs. This certified malware exploits the chain of the trust established in the ecosystem and helps an adversary readily bypass security mechanisms such as anti-virus engines. Prior work analyzed the large corpus of certificates collected from the wild to characterize the security problems. However, this practice was typically performed in a global perspective and often left the issues that could happen at a local level behind. Our work revisits the investigations conducted by previous studies with a local perspective. In particular, we focus on code-signing certificates issued to South Korean companies. South Korea employs the code-signing PKI ecosystem with its own regional adaptations; thus, it is a perfect candidate to make a comparison. To begin with, we build a data collection pipeline and collect 455 certificates issued for South Korean companies and are potentially misused. We analyze those certificates based on three dimensions: (i) abusers, (ii) issuers, and (iii) the life-cycle of the certificate. We first identify that the strong regulation of a government can affect the market share of CAs. We also observe that several problems in certificate revocation: (i) the certificates had issued by local companies that closed the code-signing business still exist, (ii) only 6.8% of the abused certificates are revoked, and (iii) eight certificates are not revoked properly. All of those could lead to extending the validity of certified malware in the wild. Moreover, we show that the number of abuse cases is high in South Korea, even though it has a small population. Our study implies that Korean security practitioners require immediate attention to code-signing PKI abuse cases to safeguard the entire ecosystem.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
PKI in Asia – Case Study and Recommendations: https://fidoalliance.org/wp-content/uploads/FIDO-UAF-and-PKI-in-Asia-White-Paper.pdf.
- 2.
- 3.
- 4.
- 5.
Internet world stats: https://www.internetworldstats.com/stats3.htm.
- 6.
Provided by crosscert: https://www.crosscert.com/symantec/02_1_04.jsp.
- 7.
References
What should i do with the annoying ads? (in Korean) https://www.donga.com/news/Economy/article/all/20140914/66399483/1. Accessed 03 Sept 2020
N. Korea fakes ‘code signing’ to spread spyware. KBS world radio. http://world.kbs.co.kr/service/news_view.htm?lang=e&Seq_Code=119375. Accessed 30 Aug 2020
To bypass code-signing checks, malware gang steals lots of certificates. ars technica. https://arstechnica.com/information-technology/2016/03/to-bypass-code-signing-checks-malware-gang-steals-lots-of-certificates/. Accessed 30 Aug 2020
Adobe. Electronic Signature Laws and Regulations - South Korea (2020). https://helpx.adobe.com/sign/using/legality-south-korea.html
Alrawi, O., Mohaisen, A.: Chains of distrust: towards understanding certificates used for signing malicious applications. In: WWW 2016, Republic and Canton of Geneva, Switzerland (2016)
Chai, S.-W., Min, K.-S., Lee, J.-H.: A study of issues about accredited certification methods in Korea. Int. J. Secur. Appl. 9(3), 77–84 (2015)
Code Signing Working Group. Minimum requirements for the issuance and management of publicly-trusted code signing certificates. Technical report (2016)
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280. RFC Editor (May 2008). http://www.rfc-editor.org/rfc/rfc5280.txt
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, Berkeley, CA, USA, pp. 605–620. USENIX Association (2013)
Falliere, N., O’Murchu, L., Chien, E.: W32.Stuxnet dossier. Symantec Whitepaper (February 2011)
Geater, J.: How to remove Kraddare. https://www.solvusoft.com/en/malware/potentially-unwanted-application/kraddare/
Google: Announcing the first SHA1 collision (February 2017)
Kim, D., Kwon, B. J., Dumitras, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 (2017)
Kim, D., Kwon, B.J., Kozák, K., Gates, C., Dumitras, T.: The broken shield: measuring revocation effectiveness in the windows code-signing PKI. In: 27th USENIX Security Symposium, USENIX Security 2018. USENIX Association (2018)
KLRI: Digital Signature Act, 2017. https://elaw.klri.re.kr/eng_service/lawView.do?hseq=42625&lang=ENG
Kotzias, P., Bilge, L., Caballero, J.: Measuring PUP prevalence and pup distribution through pay-per-install services. In: Proceedings of the USENIX Security Symposium (2016)
Kotzias, P., Matic, S., Rivera, R., Caballero, J.: Certified PUP: abuse in authenticode code signing. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015. ACM, New York (2015)
Kozák, K., Kwon, B.J., Kim, D., Gates, C., Dumitraş, T.: Issued for abuse: measuring the underground trade in code signing certificate. In: 17th Annual Workshop on the Economics of Information Security (WEIS) (2018)
Kwon, B.J., Srinivas, V., Deshpande, A., Dumitras, T.: Catching worms, trojan horses and pups: unsupervised detection of silent delivery campaigns. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017 (2017)
Microsoft: Microsoft security advisory: update for deprecation of MD5 hashing algorithm for Microsoft root certificate program, 13 August 2013
Microsoft: Trojan:win32/delf. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Delf
Microsoft: Trojan:win32/kraddare. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Kraddare
Microsoft: Win32/onescan. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=win32%2Fonescan
Microsoft: Erroneous VeriSign-issued Digital Certificates Pose Spoofing Hazard (2001)
Microsoft: Windows Authenticode portable executable signature format (March 2008). http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
Morowczynski, M.: SHA-1 deprecation and changing the root CA’s hash algorithm (2018)
Niemela, J.: It’s Signed, therefore it’s Clean, right? (2010)
NLIC: Electronic Financial Transaction Act, 2017. http://www.law.go.kr/eng/engLsSc.do?menuId=1&query=electronic+financial+transactions+act&x=0&y=0#liBgcolor0
Park, H.M.: The web accessibility crisis of the Korea’s electronic government: fatal consequences of the digital signature law and public key certificate. In: 2012 45th Hawaii International Conference on System Sciences, pp. 2319–2328. IEEE (2012)
Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_11
Swiat: Flame malware collision attack explained (June 2012)
Wood, M.: Want my autograph? The use and abuse of digital signatures by malware. In: Virus Bulletin Conference, September 2010, pp. 1–8 (September 2010)
Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement, IMC 2009. ACM (2009)
Acknowledgements
We thank the anonymous referees for their constructive feedback. This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (2021R1F 1A1049822). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Code-signing process. (1) A publisher applies for a code-signing certificate to a code-signing CA with her/his identifications such as government-issued photo IDs, (2) After vetting, the CA issues a code-signing certificate to the publisher, (3) Using the \(\mathtt {SignTool}\) (a signing tool provided by Microsoft), the software publisher signs a binary sample with the certificate, (4) when a TimeStamp Authority (TSA) is specified for timestamping (c.f., Sect. 2.2), the signing tool sends the hash value of the binary sample to the TSA server, (5) The TSA server issues the timestamp and signs the timestamp with the TSA’s private key, and send them back to the signing tool, (6) The signing tool finally embeds the code-signing and the TSA certificate chain, the digital signature, and the timestamp into the binary sample, and (7) Finally, the publisher distributes the signed binary sample in the wild.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kwon, B., Hong, S., Jeon, Y., Kim, D. (2021). Certified Malware in South Korea: A Localized Study of Breaches of Trust in Code-Signing PKI Ecosystem. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-86890-1_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86889-5
Online ISBN: 978-3-030-86890-1
eBook Packages: Computer ScienceComputer Science (R0)