| « Cisco NAC 4.8 Now Available | Extend MetaSploit Meterpreter Ruby to Allow Direct Windows API Calls (Railgun) » |
Application Whitelisting and MS Authenticode
06/23/10
Application Whitelisting and MS Authenticode
F-Secure has recently reported of "…tens of thousands of malware samples that have been signed (with MS Authenticode)."
MS Authenticode uses digital signatures (code signing) to authenticate software and inform the user of the fact that the software was digitally signed by a trusted issuer (CA).
Theoretically, when signed with digital signatures, authenticode signed, recently downloaded software are less likely to have been tampered with or to include malware. Depending upon the IE policy, some authenticode signed software can even bypass IE security zones (http://support.microsoft.com/kb/174360).
(For a detailed Technet article on Authenticode, please see here)
Once downloaded, some security software including HIDS, HIPS, and AV solutions may even ignore Authenticode signed software. At the very least, many of the aforementioned product types place less scrutiny on Authenticode signed software.
Priveon recommends the following for prevention of Authenticode signed malware:
1) Keep systems up to date. MS updates commonly include trusted IE and Windows Certificate Authority certs in hotfixes. (Priveon Recommends BigFix for endpoint management and automated patch deployment)
2) As seen with the F-Secure research, malware can use trusted Authenticode signed executables. In addition to keeping endpoints up to date on hotfixes, Priveon recommends a trusted endpoint security solution such as Bit9. When properly deployed, Bit9 application whitelisting protects systems against unknown and untrusted executables on an endpoint - including authenticode signed executables. In addition to preventing malware outbreaks, Bit9 allows for detailed reporting and alerts administrators to opportunities for application analysis and user education.
For more information on Application Whitelisting solutions and Bit9 or BigFix, please contact a Priveon representative.
F-Secure: http://www.f-secure.com/weblog/archives/00001973.html
F-Secure Research: http://www.f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf
Authenticode Technet Article: http://technet.microsoft.com/en-us/library/cc750035.aspx
XML Feeds©2010 by Priveon, Inc.