Malware and Signed Code

Microsoft Authenticode® is a technology that can help ensure the source of code.  It does not ensure that code is safe to run, but it can ensure that the code is associated with an entity in a trust chain. Since you should base your trust decision about code on whether you trust the source or not, Authenticode helps you with that decision by giving you more information about the source of code.

You can find out more about it here:

Authenticode certificates are issued by Certificate Authorities (CAs), such as Verisign, Comodo(UserTrust), or GlobalSign. CAs are responsible for verifying the identities of the entities to whom they issue certificates.  After a CA issues a certificate to an entity, that entity uses a private key to individually sign files. Any tampering or modification of the file or certificate invalidates the signature. Microsoft works closely with CAs to monitor the certificates issued to software vendors, particularly when malware is detected. 

Code signing is a powerful method of authoritatively identifying code, assuring the integrity at the time of signing and the identity of the code signer. Signed code can be much easier to research and analyze, because of the certainty of the association of the signer with the file. Because of this, antimalware vendors are among the most diligent code signers. This assertion of identity also scales very well – a few code signing certificates positively identify millions of genuine Microsoft files. Signing also enables features like 64-bit Windows Vista Kernel Mode Driver Signing that can help improve security, by enforcing a code signature requirement and preventing unsigned code from being modified and loaded.

Certificates on non-malicious files

In the first six months of 2008, 10600 valid code signing certificates were reported on over 1.78 million distinct non-malicious files to the MMPC. 2447 Invalid certificates were reported in the same period on 33078 files.  Invalid certificates can mean the file was altered after signing, there was a problem with the certificate on the local machine, the certificate was revoked, or another failure occurred locally verifying the signing.
Nearly the same number, 1.80 million, unsigned non-detected files were reported in the same time period to the MMPC.

Code signing of files by legitimate vendors appears to be accelerating, due to a number of benefits, including the ability to source signed code, and code signing providing defense against tampering, corruption, or malware infection in code. 

Focus on MpCmdRun.exe

MpCmdRun.exe is the file that Windows Defender uses to schedule scans and download definition updates.  Over time, Microsoft has shipped over two dozen code signed versions of this file. 

In the same time period, over 30,000 distinct files named MpCmdRun.exe have been reported to Microsoft with no code signature or broken code signing to Microsoft. This code signing is broken by file corruption from unknown sources, and tampering or malware infection. Over 22 different malware families were infecting files named MpCmdRun.exe.

For software developers, code signing is an excellent defense against tampering and acts as a warning in the case of malware infection. Of course, before signing any file, it is strongly recommended that a thorough malware check be performed on files. Microsoft virus scans and code signs all code that it ships.

Certificates on detected files

Code signed malicious code results from either malicious code being mistakenly signed,  stolen private keys issued to other entities or been issued certificates from a Certification Authority (CA).  The MMPC has not confirmed any cases of private keys being stolen and used on detected code, or any cases of mistaken signing by a legitimate entity, but has confirmed many cases of CAs issuing code signing certificates to malware authors.  In most cases, CAs participating in the Microsoft Root Certificate Program issue code signing certificates to a software publisher who uses the certificate to sign malware.  In some cases, the CA is owned and operated by the malware authors, and the first step in infection is tricking users into installing a root certificate.  In most cases, CAs participating in the Microsoft Root certificate program are tricked into issuing a valid certificate to the malware author.

In the first six months of 2008, the MMPC received reports of 22M instances of distinct malware files, of which about 173,000 were distinct malware files with code signatures.  Of this malware with code signatures, about 38,000 were not validly code signed, so approximately 135,000 validly signed malware files were reported to Microsoft. Approximately 0.6% of detected malware were validly code signed.

Of signed detected files, severity of the threats tended to be high or severe, with low and moderate threats comprising a much smaller number of files:


When the MMPC encounters code signed malware spreading in the wild, we author detection signatures and contact the issuing CA with details of the file in question so the CA can review the issued certificate to determine if any action is needed. CA’s maintain Certificate Revocation Lists on the Internet, which list mistakenly issued, abused, or other problem certificates. Software like Internet Explorer 7 attempts to check CRLs when verifying code signing of any downloaded code. Though also intended to identify the signing parties, Microsoft has been unable to identify any authors of signed malware in cooperation with CAs because the malware authors exploit gaps in issuing practices and obtain certificates with fraudulent identities.

You can find more information on this topic in our Security Intelligence Report.

-Joe Faulhaber

Comments (0)

Skip to main content