In blunder threatening Windows users, D-Link publishes code-signing key
In a ham-fisted move that threatens computer users everywhere, developers at router manufacturer D-Link published a private cryptography key used to certify that software is trustworthy and not malware, a security researcher said.
The software signing key was released in late February on D-Link’s GPL source code sharing website, along with the source code from some of the company’s firmware, Yonathan Klijnsma, a threat intelligence analyst at Dutch security firm Fox IT, told Ars in an e-mail. D-Link used the key to cryptographically sign its software so it could be installed on computers running Microsoft Windows without the operating system generating a security warning. With it leaked to the world, anyone—including developers of keyloggers, remote access trojans, and other types of malware—could use the key to sign their malicious wares so they’re accepted as trusted D-Link software.
It’s not unusual for malware providers to steal or otherwise appropriate valid signing keys to give their wares the appearance of legitimacy. Stuxnet, the computer worm jointly developed by the US and Israel to sabotage Iranian nuclear centrifuges, was among the early pieces of malware to be signed this way. Since then, code signing has become almost standard practice among upper-tier malware distributors. Normally, malicious developers must hack a legitimate certificate holder and acquire the underlying private key. D-Link, it seems, may have saved bad guys this extra step by openly publishing its signing key and allowing it to remain online for seven months.