Pierluigi Paganini November 20, 2011

F-Secure Researchers have discovered a digitally signed malware that has code signed with a stolen government certificate belonging to the Malaysian Agricultural Research and Development Institute.

The issue has long been known and this attack methodic has triggered a widespread lack of confidence in the process of trusting based on the use of certificates. The impairment of some famous CA as Diginotar and dissemination of news related to the mode of spread of the dreaded Stuxnet and of its successors have allegedly cracked the mechanism underlying the trust model.

There is a very important consideration to be done by analyzing the case Stuxnet, the malware used valid stolen certificates. Consequense of that is that other malware acts in the same way, for example the Zeus bot looks for any certificates stored on an infected host for possible later usage.

The use of digitally signed code of an application has main purpose is to increase the trust in the development process, avoiding fraud and software alterations. Using digital signed code the malwares are able to elude all controls and related alert provided for the execution of software developed by non-accredited firms.

There are two main problems that are implied by the above examples. First related to the development process that must be improved to protect application certificate and private keys. Software certificates stored on a development box that has Internet access is not a good idea. Ideally, but also more expensive and cumbersome, hardware certificates should be used to sign code. Likewise, signing certificates should be kept on a separate host that does not touch the rest of the network or the Internet.

Second problem is the wide-scoping inherent trust given to any signed certificate from a valid Certificate Authority. Why would my system inherently trust software that says it was developed by a credit union? Right now, the answer is because the Certificate Authority told it to. Too little, isn’t it?

The malware spreads through malicious PDF files that drop it after exploiting Adobe Reader 8 but according F-Secure blog

“This particular malware does not gain much advantage of the signature any more, as the mardi.gov.my certificate expired in the end of September.”

The malware is currently detected as Trojan-Downloader:W32/Agent.DTIW.

http://www.cybersquared.com/the-rise-of-digitally-signed-malware/

http://www.zdnet.com/blog/security/researchers-spot-malware-using-a-stolen-government-certificate/9813