Resurgence of malware signed with stolen certificates

Since 2009, variants of the Winwebsec rogue AV family have been trying to trick users into believing their computer has been infected and into paying for “registering” the software to get rid of the (non-existent) threat.

Lately, the threat has received another boost: variants have been spotted being distributed signed with credentials stolen from at least twelve different software developers.

These certificates were issued by a number of different CAs (VeriSign, Comodo, Thawte, and DigiCert) to software developers in the Netherlands, US, Germany, Great Britain and Canada.

Microsoft researchers pointed out that the aforementioned list is probably not complete, as it has been compiled by taking into consideration only the certificates used for the samples Microsoft managed to get their hands on.

“Interestingly, one of these certificates was issued only three days before we started seeing malware samples signed with it, which suggests that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile,” they shared.

Other malware, such as the Fareit and Ursnif password-stealing Trojans, have also lately been signed with stolen certificates. In addition to this, both have, at one time or another, been capable of stealing certificates and private keys.

The researchers pointed out that since Stuxnet, most attackers signed their malware with a valid digital signature that has been paid for and obtained directly from a legitimate certification authority.

But the resurgence of certificate theft means that software developers should take care to keep their code-signing private keys safe.

“Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware,” they warned, and advised them to peruse the “Code-Signing Best Practices” document the company compiled back in 2007, but still contains valid advice.

“The document recommends keeping private keys physically secure by storing them on a securely-stored hardware device such as a smart card, USB token, or hardware security module,” they pointed out, adding that “no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand.”