Malware Variant Signed with Valid Digital Certificate

Friday, March 16, 2012



Security vendor Kaspersky has discovered a malware variant in the wild identified as Trojan.Win32.Mediyes that is accompanied by a VeriSign digital certificate.

Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.

"In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes respectively," Kasperky's Vyacheslav Zakorzhevsky wrote.

The presence of a signed digital certificate from a legitimate CA (certificate authority) makes the task of identifying and defending against the malware more difficult for antivirus software and file scanners.

"Numerous dropper files have been identified that were signed on various dates between December 2011 and 7 March 2012. In all those cases a certificate was used that was issued for the Swiss company Conpavi AG. The company is known to work with Swiss government agencies such as municipalities and cantons. We don’t yet know the exact source of Trojan-Dropper.Win32/Win64.Mediyes, but there’s reason to believe that it is installed on computers with the help of exploits,"  Zakorzhevsky continued.

The malware appears to be utilized as part of a click-fraud operation designed to generate revenues for the attackers from a legitimate marketing service.

"After the DLL is launched, it checks which browser it is running in and then starts intercepting browser requests sent to the Google, Yahoo! and Bing search engines. It duplicates all requests on the server of the malicious users which is located in Germany. The search queries are used by the criminals to earn money as part of the Search 123 partner program that works on a pay-per-click (PPC) basis. The server responds to the users’ requests with links from the Search123 system that are clicked without the user knowing about it. This results in the bad guys making money from fake clicks," Zakorzhevsky said.

Kaspersky has requested that VeriSign revoke the rogue certificate immediately.

Last spring, researchers at security solutions provider Avira identified a Zeus Trojan variant accompanied by a signed digital certificate, and on several occasions, Zeus variants have also been detected with forged Kaspersky and Avira digital signatures.

In March, certificate authority Comodo publicly accused Iranian hackers of fraudulently obtaining digital certificates from one of the company's Registration Authorities in Europe.

A falsely issued Google SSL certificate was discovered, and reports indicated that it may have been part of a ploy by the Iranian government to perform Man-in-the-Middle (MitM) attacks.

A MitM attack take a request for an HTTPS encrypted site and inserts and intermediary website in the process while creating the encrypted link with the target system while still being able to monitor the data transferred before it is encrypted.

The Iranian government could be interested in using MitM attacks to monitor Internet usage, redirect dissident web surfers, and collect intelligence on opposition factions.

In general, security experts agree that there are issues when it comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.

The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.

An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.

Attempts to improve SSL security by internet browser providers have been thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.

Possibly Related Articles:
Viruses & Malware
Information Security
Authentication malware Digital Certificates Headlines VeriSign Kaspersky Certificate Authority Click Fraud
Post Rating I Like this!
Allen Kelly I work for Symantec (came over with the 2010 VeriSign security acquisition).

Symantec takes these situations very seriously and is working closely with its customer to resolve the issue. The code signing certificate used to sign the malicious code was authenticated and issued to a legitimate organization. The certificate has since been revoked as it appears that the private keys associated with the certificate (which are controlled by the customer) have been compromised. Symantec employs the highest levels of stringent authentication for every certificate we issue. To be clear, this was not in any way a breach of Symantec’s network or infrastructure. Symantec strongly encourages organizations worldwide to follow security best practices to protect the integrity of their private keys.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.