Malware Signed with Stolen Certificate

November 15, 2011

We are all familiar with the use of secure connections by our Web browsers, which encrypt communications between the browser and the server, in order to prevent eavesdroppers from intercepting confidential information.  (Your browser will indicate a secure session by highlighting the domain name in the URL bar, or with a little padlock icon.)   The SSL/TLS mechanism for establishing these secure connections depends on an infrastructure of cryptographic certificates, issued by a network of Certificate Authorities [CAs].  We saw, back in September,how the compromise of a single CA, DigiNotar in the Netherlands, could create a large headache; there is also some suspicion that the whole CA infrastructure has fundamental problems.

Yesterday, the ThreatPost security news service from Kaspersky Labs reported that a stolen certificate from the Malaysian government was being used to sign malicious software.

F-Secure researchers claim that malware spreading via malicious PDF files is signed with a valid certificate stolen from the Government of Malaysia, in just the latest evidence that scammers are using gaps in the security of digital certificates to help spread malicious code.

F-Secure identified the malware as the Trojan horse program Agent.DTIW.  It apparently exploits a vulnerability in Adobe Reader 8, and comes embedded in a PDF file signed with the stolen certificate.

The malicious PDF was signed using a valid digital certificate for, the Agricultural Research and Development Institute of the Government of Malaysia. According to F-Secure, the Government of Malaysia confirmed that the certificate was legitimate and had been stolen “quite some time ago.”

Stolen and bogus certificates have become more common recently.  In addition to the DigiNotar hack, the Stuxnet worm used stolen certificates to infect its target systems. It is somewhat disturbing, in this case, that the Malaysian government has apparently known for some time that the certificate was stolen, but it seems no action was taken to revoke it.

More details are available in a post on the F-Secure News from the Lab blog.

%d bloggers like this: