Security vendor Kaspersky has discovered a malware variant in the wild identified as Trojan.Win32.Mediyes that is accompanied by a VeriSign digital certificate.
Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.
"In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes respectively," Kasperky's Vyacheslav Zakorzhevsky wrote.
The presence of a signed digital certificate from a legitimate CA (certificate authority) makes the task of identifying and defending against the malware more difficult for antivirus software and file scanners.
"Numerous dropper files have been identified that were signed on various dates between December 2011 and 7 March 2012. In all those cases a certificate was used that was issued for the Swiss company Conpavi AG. The company is known to work with Swiss government agencies such as municipalities and cantons. We don’t yet know the exact source of Trojan-Dropper.Win32/Win64.Mediyes, but there’s reason to believe that it is installed on computers with the help of exploits," Zakorzhevsky continued.
The malware appears to be utilized as part of a click-fraud operation designed to generate revenues for the attackers from a legitimate marketing service.
"After the DLL is launched, it checks which browser it is running in and then starts intercepting browser requests sent to the Google, Yahoo! and Bing search engines. It duplicates all requests on the server of the malicious users which is located in Germany. The search queries are used by the criminals to earn money as part of the Search 123 partner program that works on a pay-per-click (PPC) basis. The server responds to the users’ requests with links from the Search123 system that are clicked without the user knowing about it. This results in the bad guys making money from fake clicks," Zakorzhevsky said.
Kaspersky has requested that VeriSign revoke the rogue certificate immediately.
Last spring, researchers at security solutions provider Avira identified a Zeus Trojan variant accompanied by a signed digital certificate, and on several occasions, Zeus variants have also been detected with forged Kaspersky and Avira digital signatures.
In March, certificate authority Comodo publicly accused Iranian hackers of fraudulently obtaining digital certificates from one of the company's Registration Authorities in Europe.
A falsely issued Google SSL certificate was discovered, and reports indicated that it may have been part of a ploy by the Iranian government to perform Man-in-the-Middle (MitM) attacks.
A MitM attack take a request for an HTTPS encrypted site and inserts and intermediary website in the process while creating the encrypted link with the target system while still being able to monitor the data transferred before it is encrypted.
The Iranian government could be interested in using MitM attacks to monitor Internet usage, redirect dissident web surfers, and collect intelligence on opposition factions.
In general, security experts agree that there are issues when it comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.
The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.
An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.
Attempts to improve SSL security by internet browser providers have been thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.