OK, wink wink, say no more
Trusted code-signing certificates are being sold to miscreants by allegedly unscrupulous vendors, fueling a growth in digitally signed Windows malware, a study has found.
Security researchers at Masaryk University in the Czech Republic, and Maryland Cybersecurity Center (MCC) in the US, identified and monitored four organizations that sold Microsoft Authenticode certificates to anonymous buyers.
The same research team also collected a corpus of Windows-targeted malware carrying valid digital signatures.
Having studied this material, the infosec bods concluded that vendors are prepared to sell Authenticode certs to anyone who can afford to pay – no questions asked.
These vendors and certificates are trusted by Microsoft and its Windows operating system, so any code, malicious or otherwise, cryptographically signed using these certs appear more legit than unsigned software.