Untrusted security certificates used to sign malicious software doubled in number during the course of last year, according to the cybersecurity vendor Kaspersky Lab.
By the end of 2014 more than 6,000 such certificates were being tracked by the firm’s antivirus database, carrying potentially implications for corporate security policies.
Andrey Ladikov, Head of Strategic Research at Kaspersky, wrote on the firm’s blog: "Many system administrators develop their corporate security policies by allowing users to launch only those files that are signed with a digital certificate.
"In addition, some antivirus scanners automatically consider a file to be secure if it is signed with a valid digital certificate.
"However, users’ absolute trust in files signed with digital certificates encourages cybercriminals to search for various ways to have their malicious files signed with the same trusted digital certificates to help use them in their criminal schemes."
Hackers have learnt a number of ways to gain control of certificates to spread malware in the last few years, including hijacking them from smaller software developers, stealing a private key from a corporate network or even buying them legally.
Legally obtained certificates have become increasingly prevalent since the turn of the millennium, now numbering as many as 110,000, which Kaspersky attributes to the loose system of checks involved in purchasing the items from a certification authority.
