Resurgence of malware signed with stolen certificates
Posted on 16.12.2013
Since 2009, variants of the Winwebsec rogue AV family have been trying to trick users into believing their computer has been infected and into paying for “registering” the software to get rid of the (non-existent) threat.


Lately, the threat has received another boost: variants have been spotted being distributed signed with credentials stolen from at least twelve different software developers.

These certificates were issued by a number of different CAs (VeriSign, Comodo, Thawte, and DigiCert) to software developers in the Netherlands, US, Germany, Great Britain and Canada.

Microsoft researchers pointed out that the aforementioned list is probably not complete, as it has been compiled by taking into consideration only the certificates used for the samples Microsoft managed to get their hands on.

“Interestingly, one of these certificates was issued only three days before we started seeing malware samples signed with it, which suggests that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile,” they shared.

Other malware, such as the Fareit and Ursnif password-stealing Trojans, have also lately been signed with stolen certificates. In addition to this, both have, at one time or another, been capable of stealing certificates and private keys.

The researchers pointed out that since Stuxnet, most attackers signed their malware with a valid digital signature that has been paid for and obtained directly from a legitimate certification authority.

But the resurgence of certificate theft means that software developers should take care to keep their code-signing private keys safe.

“Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware,” they warned, and advised them to peruse the “Code-Signing Best Practices” document the company compiled back in 2007, but still contains valid advice.

“The document recommends keeping private keys physically secure by storing them on a securely-stored hardware device such as a smart card, USB token, or hardware security module,” they pointed out, adding that “no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand.”









Spotlight

The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //