Malware Signed with Stolen Certificate

We are all familiar with the use of secure connections by our Web browsers, which encrypt communications between the browser and the server, in order to prevent eavesdroppers from intercepting confidential information.  (Your browser will indicate a secure session by highlighting the domain name in the URL bar, or with a little padlock icon.)   The SSL/TLS mechanism for establishing these secure connections depends on an infrastructure of cryptographic certificates, issued by a network of Certificate Authorities [CAs].  We saw, back in September,how the compromise of a single CA, DigiNotar in the Netherlands, could create a large headache; there is also some suspicion that the whole CA infrastructure has fundamental problems.

Yesterday, the ThreatPost security news service from Kaspersky Labs reported that a stolen certificate from the Malaysian government was being used to sign malicious software.

F-Secure researchers claim that malware spreading via malicious PDF files is signed with a valid certificate stolen from the Government of Malaysia, in just the latest evidence that scammers are using gaps in the security of digital certificates to help spread malicious code.

F-Secure identified the malware as the Trojan horse program Agent.DTIW.  It apparently exploits a vulnerability in Adobe Reader 8, and comes embedded in a PDF file signed with the stolen certificate.

The malicious PDF was signed using a valid digital certificate for mardi.gov.my, the Agricultural Research and Development Institute of the Government of Malaysia. According to F-Secure, the Government of Malaysia confirmed that the certificate was legitimate and had been stolen “quite some time ago.”

Stolen and bogus certificates have become more common recently.  In addition to the DigiNotar hack, the Stuxnet worm used stolen certificates to infect its target systems. It is somewhat disturbing, in this case, that the Malaysian government has apparently known for some time that the certificate was stolen, but it seems no action was taken to revoke it.

More details are available in a post on the F-Secure News from the Lab blog.

3 Responses to Malware Signed with Stolen Certificate

  1. […] DigiNotar’s loss of accreditation.   We have also seen stolen certificates used to generate digital signatures used to sign malicious software.    This has put the browser vendors in an uncomfortable […]

  2. […] In addition to its DNS services, VeriSign was a major Certificate Authority, providing digital certificates to a large number of institutions.  (It sold that business to Symantec Corp. in 2010, although Symantec has kept the VeriSign brand name for its certificate business.)  As we saw with the attack against the Dutch Certificate Authority DigiNotar, this raises the possibility that the attackers gathered enough information to enable them to issue bogus certificates, create fraudulent Web sites, and digitally sign malicious software. […]

  3. […] I’ve written here before about the role that Certificate Authorities [CAs] play in supplying credentials used for secure Internet connections via the SSL/TLS protocols, which create an encrypted connection between the user’s browser and the server, while providing the user with some assurance that she is actually connecting to her bank’s Web site, and not some Bad Guy’s imitation.  Unfortunately, we have seen a number of problems with this system, ranging from the hacks of VeriSign, and of the Dutch CA DigiNotar, to the use of a certificate, stolen from the Malaysian government, to sign malicious software. […]

%d bloggers like this: