Defrauding the certificate authorities to get trusted code-signing certificates

Geoff McDonald

Trusted Certificate Authorities (CAs) play an important role in securing our computers. They help us and our computers publicly validate that content is truly from a named organization or individual. Key to this trust, is the CA’s ability to verify the organization or individual before issuing a certificate requestor a certificate under their name. In this presentation I will present a quick overview of how the CA identify verification works for the various certificate types, and present an observed in-the-wild attack where malware authors are getting ahold of trusted code-signing certificates through impersonating real companies and defeating the CA Organization Validation identify verification process. The attackers are using the trusted code-signing certificates to digitally sign their malware binaries as part of drive-by web download attacks.

Speakers Bio: Geoff McDonald is the cloud machine-learning architect and an anti-virus researcher at Windows Defender, specializing in using machine-learning to protect our customers from malware. He has a passion for machine learning, reverse-engineering, programming tools for reverse-engineering and vulnerability fuzzing, and foosball. You can find some of his tools and hobby projects on his personal website or github at