Comodo Issued Most Certificates for Signed Malware on VirusTotal

Comodo CA (now known as Sectigo) is the Certificate Authority (CA) that issued the largest number of digital certificates used to sign malware samples found on VirusTotal over the past year, Chronicle’s security researchers have discovered. 


Data collected within a 365 day span (with an initial start date of May 7, 2019) revealed that, out of a total of 3,815 signed malware samples, 1,775 used a digital certificate issued by Comodo RSA Code Signing CA. 


The process of cryptographically signing code was meant to provide an operating system with the means to discriminate between legitimate and potentially malicious software. The system relies on a chain of trust, where certificates are issued by trusted CAs that have the backing of a trusted parent CA. 


Malware authors are taking advantage of this inherited trust model to purchase certificates directly or via resellers. Regardless of how the purchase is made, there is a lack of due diligence into customers, Chronicle says. 


At the moment, the researchers note, the only real tool to combat certificate abuse is the revocation of that certificate, a process through which the CA says the certificate is no longer trustworthy, and which introduces a delay in which the signed malware may be considered “trusted”.


For their investigation, Chronicle’s security researchers looked on VirusTotal at signed Windows PE Executable files, filtered out a large number of samples and grayware files, and then identified the CA responsible for each of the samples. 


Their analysis revealed that Comodo was responsible for the largest number of signed samples, at 1,775, with thawte at 509, VeriSign at 261, Sectigo (formerly Comodo) at 182, Symantec at 131, and DigiCert at 1 ..