Hold on to Your Keys!

There have been a few recent incidents of what we previously thought was extremely rare — malware authors using code signing certificates that were issued to companies with good reputations.

The high-profile Stuxnet incident included validly signed malware with misappropriated Authenticode certificates from two Taiwanese companies. More recently, it appears a U.S. credit union lost its private key to malware authors who used it to sign some variants of Trojan:Win32/Tapaoux.A as well.

https://blogs.technet.com/b/mmpc/archive/2010/09/16/hold-on-to-your-keys.aspx

Microsoft has also published a guide: Code-Signing Best Practices:
https://www.microsoft.com/whdc/driver/install/drvsign/best-practices.mspx

-Urs