It's rare in finding malware that's been signed with a legitimate digital certificate. What's even rarer is what researchers at software security company F-Secure found: Malware that's been signed with an official key that after belonged to the Malaysian government.
The malware in question takes good thing about an exploit in Adobe Reader 8 and spreads via malicious PDF files. Once exploited, the malware then downloads additional malicious components, a number of that are also signed by a commercial website, from a server called worldnewsmagaizines.org.
The stolen certificate, issued for the domain of mardi.gov.my, once belonged to the Malaysian Agricultural Research and Development Institute. Mikko Hypponen, chief research officer at Finland-based F-Secure Corp., wrote in a blog post that his researchers contacted Malaysian authorities and were told this actual certificate were stolen “quite a while ago.â€
 “This is problematic, as an unsigned Windows application will produce a warning to the top user if he downloads it from the internet; signed applications won't try this,†Hypponen wrote. He also noted that some security systems might trust the malware greater than unsigned code due to the supposed authenticity of a signed certificate.
However, in line with the blog post, the mardi.gov.my certificate expired on the end of September, meaning those Windows application warnings will appear.
The stolen certificate was issued by a small subordinate certificate authority (CA) in Malaysia called Digicert Sdn. Bhd, to not be confused with the U.S.-based Root CA Digicert Inc. Digicert Sdn. Bhd is a subordinate CA of Cybertrust/Verizon and Entrust, either one of that have revoked the certificates they issued to the CA. Major browser makers similar to Google, Opera, Microsoft and Mozilla have also blacklisted the Malaysian CA.
According to a blog post by Yngve Nysaeter Pettersen, a developer at software company Opera Software, the cause of the blacklists stems from a discovery that Digicert Sdn. Bhd was “issuing certificates that didn't meet several technical and contractual requirements, leading to potential attacks on people visiting Malaysian government websites.â€
Some of the certificate problems included a scarcity of “Extended Key Usageâ€, that's used to restrict what a certificate can be utilized for, a scarcity of tips to revocation information so the validity of the certificates couldn't be checked, and an exploit utilized in a phishing attack.
Pettersen added: “We have also learned that a number of other CAs have also issued about 25 certificates with 512-bit keys. In the present day we don't have information about these certificates, but we had been informed that the certificates needs to be revoked within per week.â€
Nessun commento:
Posta un commento
Comments links could be nofollow free