With the news this month that LockerGoga ransomware is wreaking havoc with industrial and manufacturing firms, Deep Secure Pre-Sales Consultant Aaron Mulgrew reflects on how the use of digitally signed executables should act as a wake-up call for security teams everywhere.

Ransomware is a form of malicious software (or malware) that, once it's taken over an individual’s computer, threatens them with harm, usually by denying access to their data. The attacker demands a ransom from the victim, promising (not always truthfully) to restore access to the data upon payment. In just one of several high profile attacks, it crippled Norsk Hydro, one of the world’s largest makers of aluminium, forcing the company to shut down and isolate several plants and send several into manual mode. The cyberattack, first detected by the company’s IT experts, has left the company struggling to maintain operations while it recently reported that the incident has so far cost at least $40 million.

At the time of writing this blog, LockerGoga had a fully undetectable (FUD) status on VirusTotal and significantly the executable code component was digitally signed. The use of digital signatures is particularly alarming because it means that the ransomware would in all probability run (or least download) to any/every computer in the world. Here’s why.

A False Sense of Security

Digital signatures are used by many, including software publishers, to indicate to the intended recipient that the content they have been sent is genuinely from the author. The problem is that over time the presence of the digital signature has become synonymous with the notion that the content can be trusted. The truth is that given the ease with which certificates can be obtained – literally anyone can get one - the presence of the certificate doesn’t indicate that the content can be trusted and actually ends up providing a false sense of security. In this particular case, the executable code that comprised the exploit was signed by valid signing authorities (though now thankfully revoked) meaning the executables would likely be trusted by most cyber security solutions and the executables would be allowed to run.

The problem of signed code becomes even more worrying when applied to Microsoft Office macros. Office macros are effectively executable code. For security reasons, organisations have the option to set Microsoft Office to allow all macros, only digitally signed macros or no macros at all. The latter is impractical for many. Financial organisations for example, rely on Office macros. So, for an attacker, a digitally signed Office macro is ideal. It helps give the victim a false sense of security and greatly increases the chance the code will run un-impeded.

You Can’t “Detect” Code

For the defender, this means that macros and executable code should not be trusted, irrespective of whether they have been signed. But how do you reliably “check” for code when there is a near infinite number of ways to obfuscate it and nobody knows what it is really doing until it has been analysed – by which time it’s too late! The truth is that traditional detect and protect security solutions will always fall short when presented with the problem of executable code and macros irrespective of whether they have been signed.

Moving Beyond Detection

Organisations need to move beyond detection and embrace new techniques for dealing with the problem of code embedded in digital content.

Instead, organisations must focus on preventing all potentially non-business information from entering their network. Being entirely agnostic to whether hidden information is malicious or not, the sole way to prevent organisations and individuals from falling victim to undetectable attacks.

Content Threat Removal discards code automatically – irrespective of where it has been hidden – using a process called transformation that extracts just valid business information and only allows that to pass un-impeded. In this was it ensures businesses can reap the benefits of digital communication with confidence that the business content they handle is threat free. Zero-day exploits, ransomware, steganography exploits, fileless malware and the threats inherent in polymorphic files are all removed, without relying on the flawed paradigm of threat detection.

View all posts