There's a flourishing trade in illicit code-signing certificates, and even extended validation certificates can be purchased for a few thousand dollars.

That's the conclusion of a study by American and Czech researchers, with input from Symantec Labs (the company's technical director Christopher Gates is a co-author).

The research found that the success of Microsoft's Windows Defender SmartScreen has forced attackers to change tactics. Once, malware authors would seek out code-signing certificates that had been compromised. During 2017, however, paper says “these methods have become secondary to purchasing certificates from underground vendors”.

The paper cited platform protections like SmartScreen as driving this change.

During 2017, the researchers followed the fortunes of “four leading vendors of code-signing certificates”. One seller turned over a new certificate every couple of days, and for around 50 code-signing certificates they generated US$16,150, suggesting individual certificates are only worth a few hundred each.

That might not be enough to defeat Windows Defender SmartScreen, however. As the paper explained, when SmartScreen encounters a certificate for the first time, it doesn't have a reputation associated with the cert so will raise a warning the user has to click-through during installation.

If attackers “want to go unnoticed, a positive reputation needs to be built for the certificate first by signing benign programs and installing them on many client machines.”

Extended Validation certificates come with a positive SmartScreen reputation. As a result, they cost more.

“Extended Validation code-signing certificates can also be purchased, for a few thousand dollars each, with the 2FA hardware tokens bound to them being subsequently shipped by post”, the paper said.

The researchers reported EV certificates at prices ranging from from $1,600 up to $7,000 for certificates with the best SmartScreen reputation.

The four vendors the researchers followed operated in Russian and English forums, with one called Codesigning Guru launching a store on the public Internet.

There's at least a whiff of the cert-selling operations depending on front companies, although the paper stops just short of making an outright accusation. Having checked the registrations for British operations the researchers said that the “publishers” generating the certificates are “rather young companies, some of them being incorporated around a month before their code-signing certificate was issued, and most of those did not have software development as their primary focus”.

Whether or not the companies were set up specifically for certificate abuse, the paper said it indicates a problem in the certificate ecosystem:

Either a malicious party managed to set up a shell company and have a certificate issued on it (without proving identity of the founder), or impersonate a real company (possibly using the data available in the public register).

That was only the British operations: most of the activity the researchers found originated in Russia.

The paper calls on Certificate Authorities to vet applicants more carefully, and says once a malicious publisher is discovered, all certificates from that publisher should be revoked. ®