Bit9: when a security company signs malware…

Bit9 offers security solutions that control which applications are authorized to be executed on a platform. Rather than relying on detecting malicious applications, Bit9 uses an engine that only authorizes a whitelist of trusted applications. Every application that is not part of the whitelist is by default considered as suspect and denied access. Of course, the Bit9 engine considers as trusted every application issued by Bit9. The control is done by verifying whether the application was properly signed by Bit9 signing key.  Bit9 claims that their solution is the ultimate defense, and the only valid answer to Advanced Persistent Threats (APT)

On 2013 February 8 security consultant, Krebs Brian announced that some companies were affected by a malware signed by Bit9. Later ton he same day, Bit9 Chief Executive Officer (CEO), Patrick Morley, acknowledged the problem. Their own solution did not protect some of the Bit9 servers. Among them were servers used to sign digital applications. Attackers were able to penetrate the network and get their malicious code signed by Bit9. Thus, any Bit9 engine would accept these pieces of malware as trusted applications. Bit9 announced that they started to cure the issues. They applied their own solution to their complete infrastructure. They revoked the compromised digital certificate and informed their customers.

According to Bit9, only three undisclosed customers were affected. Due to the high profile of Bit9 customers (defense department, Fortune 100), it may be part of a larger APT targeting some companies.   Was it the same attempt to use a security technology as an entry door like for RSA hack.

Ironically, Bit9 a few hours before bragged that Anti Virus software were old story.  It would be interesting to learn how the attackers penetrated the network.

Two lessons:

  • In depth defense is mandatory;  multiply the number of defense mechanisms.  Relying on one unique mechanism is brittle security.
  • Signature of production code should be supervised by a trusted human operator. You may use automatic signature for the development process, if of course you are using an independent root key just dedicated to development code.  Normally, there are very few pieces of software going out in the field for production.  Thus, using a human operator will not increase the cost.

Leave a Reply

Your email address will not be published. Required fields are marked *