Understanding the Status and Strategies of the Code Signing Abuse Ecosystem

obtain signatures for malware, thereby bypassing the checks of operating systems and antivirus software. This threat is known as "code-signing abuse". Notable related security breaches include Stuxnet [36] (2010), RedLine [28] (2022), and the NVIDIA certificate compromise [34] (2022), all involving stealing private keys to sign malware. Recently, VirusTotal reported [56] that nearly millions of malware samples have abused signatures, highlighting the gravity of the current situation. So far, research on code-signing abuse remains limited in both scope and depth. Unlike the Web Public Key Infrastructure (Web PKI), where various threats have been systematically analyzed [10], [21], [32], [46], [50], the code-signing ecosystem faces unique obstacles. The lack of open, largescale dataset (available only from real-world samples) and ground-truth on abuse cases impede scalable measurements in this field. Kim et al. [26] conducted the most comprehensive analysis of code-signing abuse to date in 2017, revealing vulnerabilities in CA issuance, client-side protections, and developer key management. Their analysis benefited from 111 certificates with specific abusing types, a scale that has yet to be expanded. As code-signing abuse remains pervasive, larger-scale fine-grained measurements are essential to have a global view of the current ecosystem, and to understand abusive behaviors and strategies that remain explored. Research questions. Our goal is to understand the current security landscape of the code-signing abuse ecosystem, especially from the strategic level of the adversaries. Specifically, we aim to answer the following questions: Q1: What is the current security status of the code-signing abuse ecosystem? Q2: What flaws do abusers exploit, and what strategies do they employ for abuse? Q3: What are the root causes of the rampant abuse of code signing and how to mitigate it? Our work. We started by building a large-scale fine-grained code signature abuse dataset for measurements. We collected 6.9M samples from VirusShare [55], spanning from Oct. 2020 to Oct. 2024, and 3.8M signed samples from a partnering security company for their inclusion from May 2006 to Sep. 2024. Particularly, we focus on code-signing for Windows portable executable (PE) files, as Authenticode is the most widely used signature mechanism and PE files are its primary target. We extracted 3,216,113 malicious PE files with code signatures as the base dataset. As 78.25% of the samples in Abstract-Using digital certificates to sign software is an important protection for its trustworthiness and integrity. However, attackers can abuse the mechanism to obtain signatures for malicious samples, aiding malware distribution. Despite existing work uncovering instances of code-signing abuse, the problem persists and continues to escalate. Understanding the evolution of the ecosystem and the strategies of abusers is vital to improving defense mechanisms. In this work, we conducted a large-scale measurement of codesigning abuse using 3,216,113 signed malicious PE files collected from the wild. Through fine-grained classification, we identified 43,286 abused certificates and categorized them into five abuse types, creating the largest labeled dataset to date. Our analysis revealed that abuse remains widespread, affecting certificates from 114 countries issued by 46 Certificate Authorities (CAs). We also observed the evolution of abuser techniques and identified current limitations in certificate revocation. Furthermore, we characterized abusers' behaviors and strategies, uncovering five tactics to evade detection, reduce costs and enhance abusing impact. Notably, we uncovered 3,484 polymorphic certificate clusters and, for the first time, documented real-world instances of malware leveraging polymorphism to evade revocation checks. Our findings expose critical flaws in current code-signing practices, and are expected to raise community awareness of the abuse threats.