Signed Malware Reports: Getting the Numbers Straight
Recent reports of Comodo / Sectigo Code Signing certificates used for malware contain numbers that are difficult to understand and may lead to false conclusions. In this post we clarify the numbers behind the reported malware signing.
A thank you to security monitoring firm Chronicle for identifying 127 active Code Signing certificates from Comodo / Sectigo used to sign malware incidents. We have revoked these certificates.
Unfortunately, recent press reports suggest the incorrect conclusion that Chronicle reported nearly 2000 such certificates for Comodo / Sectigo. Since this story ran, we have investigated all of the certificates attributed to Comodo / Sectigo. More than 90% of these were expired, previously revoked, or duplicate reports. The breakdown is:
Duplicate: 1660
Expired: 70
Previously revoked: 126
In process: 25
Active (now revoked): 127
Definitions
Duplicate: These reported certificates match others that already have been logged in a different category. This duplication may owe itself to multiple uses of the same certificate or multiple reports of the same malware application.
Expired: These certificates had already expired as of this investigation.
Previously revoked: These certificates had already been revoked by Sectigo prior to this investigation. Certificates may potentially have been revoked for reported abuse or at the request of the customer.
In process: These reported certificates did not match our records of Code Signing certificates from Comodo / Sectigo during our investigation. We are continuing to investigate these certificates.
Active (now revoked): These certificates were active as of the investigation and are now revoked. As a matter of policy Sectigo revokes certificates used for malware and does not issue certificates to known abusers.
We encourage Chronicle or any other researcher who becomes aware of misused Sectigo public certificates to report them to us upon discovery at [email protected] or [email protected].