There have been a few recent incidents of what we previously thought was extremely rare – malware authors using code signing certificates that were issued to companies with good reputations.
The high-profile Stuxnet incident included validly signed malware with misappropriated Authenticode certificates from two Taiwanese companies. More recently, it appears a US credit union lost its private key to malware authors who used it to sign some variants of Trojan:Win32/Tapaoux.A as well.
It’s still far more common for malware authors to get their certificates (and the underlying private keys) directly from Certificate Authorities (CAs). This is easier for the malware authors to attempt, but also does not hijack other companies’ reputations. Microsoft continues to work with the CAs to ensure the trustworthiness of the certificates they issue.
The fact that malware authors are targeting private keys for certificates shows the value of code signing. To legitimate enterprises, code signing helps to establish the authenticity and integrity of software. To malware authors, it’s yet another way they try to steal from others.
Unfortunately, code signing can only be as secure as the private keys underlying the technology. Authenticode keys are pretty much digital versions of the physical keys we all know – if you have ever had your keys stolen, it can be scary. And when code signing keys are stolen, the thieves know exactly who they are targeting.
Microsoft has published a helpful guide here: Code-Signing Best Practices. This excellent document includes an explanation of how code signing works in Windows, how to keep those digital private keys physically secured, and my favorite section on virus scanning files to be signed for malware before affixing your reputation to them.
So please, keep your keys safe!