Following Chronicle’s study on signed malware registered on VirusTotal scanning service over a one-year period, Sectigo carried their own investigation to identify abused certificates and revoke them.
Chronicle’s research focused on the number of malicious code samples they found and not on the number of certificates issued by Certificate Authorities (CA). It's important to note that malware can use a certificate as long as it is valid.
Lots of duplicates identified
In a post on Friday, Sectigo reveals that most of the certificates Chronicle found to be issued by the company and abused to sign malware were expired, were already revoked or duplicates at the time Sectigo looked into the matter; collectively, they make for 90% of the certs attributed to Comodo/Sectigo.
Expired or revoked certs can no longer be used to validate the authenticity and integrity of the file they vouch for.
Duplicate certificates are those that match other certs had been logged under a different category. “This duplication may owe itself to multiple uses of the same certificate or multiple reports of the same malware application,” explains Sectigo.
The largest part of the certs Chronicle saw issued by Comodo/Sectigo were duplicates. They accounted for 1660 of the results.
After Chronicle’s report, the CA found 127 certificates that were still active, meaning that they still validated the malicious code. The company was swift in its actions and and revoked them.
The CA also continues to investigate a number of 25 certificates, which could not be accounted for during its inspection. The status for these is “in process.”
“These reported certificates did not match our records of Code Signing certificates from Comodo / Sectigo during our investigation. We are continuing to investigate these certificates,” says Sectigo.
A breakdown of Sectigo’s findings is as follows:
Duplicate: 1660
Expired: 70
Previously revoked: 126
In process: 25
Active (now revoked): 127
Sectigo encourages researchers to report the certificates abused for signing malware. The company provides two email addresses to report misused certificates:
ssl_abuse@sectigo.com
signedmalwarealert@sectigo.com
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now