Other issues in this category (52)
A digital autograph
Dr.Web virus databases and applications are digitally signed. What are digital signatures and why are they used?
Criminals often fake popular applications and their components (in the case of Dr.Web, the virus databases are a primary target). Attackers would understandably love to replace a database with one missing a certain virus definition. A digital signature guarantees that a loaded application (or its component) has been created and signed by a specific developer and hasn't been tampered with.
Starting with SP2, digital signatures are verified in Windows whenever a program is launched or installed; this applies to drivers too. If no signature is present, the user is notified that the application's publisher is unknown and that it would be unwise to run that program. If the file is signed, information about the developer and the certificate is shown.
Click on the link to learn more about the certificate that has been used.
To digitally sign an application, its developer needs to acquire a Code Signing certificate, also known as a software publisher's certificate.
Certificates of this kind are issued by various companies for various purposes; their features and cost can vary. Once the needed certificate is acquired, it can be used to sign executable files, libraries, and other items, including scripts, MS Office macros, and Java applications.
How are digital signatures generated and verified?
Once a developer has procured the required certificate, they use a special utility to calculate the checksum (hash) for the file they want to sign, encrypt it and place the data package containing the hash (and possibly other data) into the file with the code they need to sign. The data can, for example, be appended to the end of the file./p>
Whenever the application is launched or a component is loaded, the code's hash is calculated using the same routine that was employed to generate the hash when it was signed. For this, the public key found in the certificate is used. The hash is decrypted and the two values are compared.
We previously stated that a certificate can be obtained from a certificate authority. That is correct, but nothing can prevent a developer from creating certificates of their own and using them to sign their files. Naturally, this will enable them to maintain data integrity, but users are likely to question the origins of self-signed files. After all, a certificate doesn't exist on its own. It is connected with its root certificate which was generated by a certificate authority (CA).
As a rule, consumer devices are shipped with root certificates installed on them. When a digital signature is processed, the root certificate—the source of trustworthy information—is verified too. If a self-signed certificate is used, the user will be informed that "the publisher cannot be verified".
It may seem like the solution is obvious. Sign the most popular applications, verify their integrity whenever they are launched, and no anti-virus is needed! Alas, that won't work even if we disregard the possibility that a CA company can be compromised (a certificate is also a commodity that can be stolen and sold).
The encryption ransomware program Mac.Trojan.KeRanger.2 is signed by a valid OS X application publisher certificate and thus can circumvent Apple’s security routines.
Sadly, security researchers who monitor underground forums that trade in certificates indicate that the number of certificates being sold of late is on the rise.
The first post offered certificates for $980 apiece. Clearly, its authors work with a reliable supplier who has constant access to one of the largest CAs.
New certificates appear in stock almost on a weekly basis.
The researchers discovered that code-signing certificates on the black market cost more than weapons.
Selling one certificate can yield a criminal as much as $1,200 (US). Compare: a credit card can be purchased for a few dollars, a social security number costs on average $850, and a handgun can be bought for $600.
Experts, of course, are sounding the alarm.
"Stolen certificates make it impossible for companies to discover a malicious program", said Kevin Bocek, Vice President of Venfai Security Strategy and Threat Intelligence.
Things aren't as scary as they seem. Luckily, digital certificates are not the only way to verify the safety of a file. When Dr.Web checks a file, it factors in the presence of a digital signature (the anti-virus has more tricks up its sleeve than just its virus databases!), but it is not the only security criterion it uses.