Categories: Cyber CrimeDigital IDHackingMalware

Elude control … let’s digitally sign malware code

F-Secure Researchers have discovered a digitally signed malware that has code signed with a stolen government certificate belonging to the Malaysian Agricultural Research and Development Institute.

The issue has long been known and this attack methodic has triggered a widespread lack of confidence in the process of trusting based on the use of certificates. The impairment of some famous CA as Diginotar and dissemination of news related to the mode of spread of the dreaded Stuxnet and of its successors have allegedly cracked the mechanism underlying the trust model.

There is a very important consideration to be done by analyzing the case Stuxnet, the malware used valid stolen certificates. Consequense of that is that other malware acts in the same way, for example the Zeus bot looks for any certificates stored on an infected host for possible later usage.

The use of digitally signed code of an application has main purpose is to increase the trust in the development process, avoiding fraud and software alterations. Using digital signed code the malwares are able to elude all controls and related alert provided for the execution of software developed by non-accredited firms.

There are two main problems that are implied by the above examples. First related to the development process that must be improved to protect application certificate and private keys. Software certificates stored on a development box that has Internet access is not a good idea. Ideally, but also more expensive and cumbersome, hardware certificates should be used to sign code. Likewise, signing certificates should be kept on a separate host that does not touch the rest of the network or the Internet.

Second problem is the wide-scoping inherent trust given to any signed certificate from a valid Certificate Authority. Why would my system inherently trust software that says it was developed by a credit union? Right now, the answer is because the Certificate Authority told it to. Too little, isn’t it?

The malware spreads through malicious PDF files that drop it after exploiting Adobe Reader 8 but according F-Secure blog

“This particular malware does not gain much advantage of the signature any more, as the mardi.gov.my certificate expired in the end of September.”

The malware is currently detected as Trojan-Downloader:W32/Agent.DTIW.

http://www.cybersquared.com/the-rise-of-digitally-signed-malware/

http://www.zdnet.com/blog/security/researchers-spot-malware-using-a-stolen-government-certificate/9813

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.