Malware Strikes With Valid Digital Certificate

We rely upon digital certificates and certificate authorities to validate that online entities are who they say they are, but security firm Malwarebytes recently found a banking Trojan with a valid, signed digital certificate.

By
Mon, February 04, 2013

CIO — One of the foundational elements of ecommerce is the web of trust enabled by digital certificates. When you go to a web site, you can feel confident that it's legitimate because it has a certificate from a recognized certificate authority that validates it. But the certificates themselves can be vulnerable. Case in point: Security firm Malwarebytes recently discovered some malware in the wild with a valid, signed digital certificate.

"One of our security researchers identified this piece of malware," says Jerome Segura, senior security researcher at Malwarebytes. "It's a typical Trojan with one peculiarity: It was signed, and unlike a lot of malware that uses signatures, this one was valid."

The malware is a banking/password stealer that Segura says uses email to spread. It appears to be a PDF invoice with a valid certificate issued to a real Brazilian software company called "Buster Paper Comercial Ltda," Segura says. The certificate was issued by SSL certificate authority DigiCert.

"I don't think it's stolen, per se," Segura says. "It looks like what [the criminals] did is they looked at this company in Brazil, which is a software company, and essentially made a request in their name to DigiCert. From the point of view of the certificate authority, it looks normal. [The criminals] probably spoofed the email address to buy the certificate. It looks to me as if it's too easy for anybody who does a bit of research to either impersonate a company or set up a fake web site as if it were a company and then buy a certificate."

DigiCert has confirmed that it did issue the certificate but revoked it as soon as it learned of the misuse.

"DigiCert has conducted a thorough review of this matter and can confirm that the certificate was validated and issued in accordance with industry guidelines," the company said in an official statement Monday evening. "At the time that the code signing certificate was issued, Buster Paper Comercial Ltda was a legally registered business as confirmed through the Brazilian Ministerio da Fazenda: Cadastro Sincronizado Nacional. DigiCerts Terms of Use clearly state that malware is not an accepted type of activity for which our certificates can be used. As soon as DigiCert learned of the misuse of the certificate, it was immediately revoked."

When someone clicks on this particular piece of malware, Segura says, it opens what appears to be a PDF invoice. But it also creates a number of processes that connect to an enterprise cloud storage company.

Continue Reading

Our Commenting Policies