Great part of malware on VirusTotal had Comodo certificate

Comodo center of certification (known now as Sectigo) released the greatest number of certificates that were used for signing of the malware program samples, found on VirusTotal.

It discovered Chronicle specialists during the conducted research.

“Unfortunately, system of certificates is built on a problematic core tenet: Trust”, — argue Chronicle experts.

The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs), which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers. Whether purchased directly or indirectly, due diligence into customers appears to be lacking.

In the research, Chronicle employees deepen in the analysis of executables Windows files (PE) that were uploaded in popular service of files’ analysis VirusTotal.

Read also: Microsoft published list of dangerous legitimate applications

Next, experts highlighted signed malicious executables and broke them into two groups, with every of them using its own signature certificate.

Experts discovered that in 3815 studied malwares 1775 had Comodo certificate, 509Thawte, 261VeriSign, 131Symantec and 118DigiCert.

Collected data also showed that certificates from 21% of samples were recalled before May 8, 2019.

“All hope is not lost. Certificate authorities are actively revoking certificates from malware executables that are identified in the wild. This indicates that CAs do take their responsibilities seriously, though more diligence around buyers may help prior to the proverbial cat being out of the bag”, — argued Chronicle experts.

Experts highlighted that the only way to address using certificates in criminal purposes is their recalling.


About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply