Computer users have been taught that software is legitimate if has been signed with credentials from a valid signing authority, and therefore users have come to trust such signed software. Unfortunately, a new type of malware takes advantage of this trust by obtaining signing credentials (e.g., a key set) from one or more valid authorities under multiple company names. The malicious party then signs and distributes their malicious software application. Because the malicious application is signed with valid credentials, it is likely to be trusted. In due course it will be realized that the software application is malicious, and the signing authority will revoke the associated credentials. At this point, the malicious party uses another credential set, acquired under a different company name, to sign the same malicious application. These credentials will also be revoked in time, but at that point the malicious party will sign the application with yet another set. By employing this strategy, the malicious party can continue distributing the malicious application with a valid signature, even as multiple credential sets are revoked by signing authorities.
Because the signing authority is unaware that the multiple companies are being used by the same malicious party to obtain multiple credential sets to sign the same malicious program, the signing authority only revokes one credential set at a time, as it learns that the specific credential set is being used to sign malware. In some instances, the malicious party creates multiple companies each of which acquire valid signing credentials at the same time. In other instances, the malicious party frequently changes their company name, and continues to acquire new signing credentials under each new company name over a period of time.
The approach of signing the same or similar malware with multiple signing credentials is frequently used by riskware and other likely unwanted programs, as well as by fake anti-virus applications. For example, the application “Perfect Defender” is signed with credentials under the multiple names Jeansovi LLC, Perfect Software LLC, Sovinsky LLC and Trambambon LLC. Because each signature is valid, malware signed and distributed under this scheme tends to be trusted by users. It would be desirable to address these issues.