Thursday 25 September 14:00 - 14:30, Red room.Adrian Stefan Popescu BitdefenderGheorghe Jescu Bitdefender download slides (PDF) Over the last couple of years, the Windows system has implemented a growing number of user notifications before a file is executed, starting from messages confirming the execution of downloaded applications to alerts for files that are not digitally signed. An increasing number of developers are using certificates issued by Certificate Authorities (CA) to create a more trustworthy environment for users. Although certificates should be used by legitimate developers only, a large number of malware files are digitally signed with trusted certificates. This evasion technique is successful, not only against the operating system, but also against security vendors that are creating additional filters for trustworthy files. This paper presents an analysis of different methods for using a certificate to digitally sign malware files, using either a stolen certificate originally issued to a trusted IT company, or certificates that are issued for certain developers who use them with malicious intent. In the context of issuing certificates by a trusted CA, we wonder if there is a possibility that a potentially unwanted behaviour was intended from the beginning. Finally, this paper tries to raise awareness about possible selection issues at the CA level. Has an in-depth analysis been completed on the companies that request certificates or the files that will be signed? What should happen when a certificate is explicitly revoked for malicious behaviour? Click here for more details about the conference.