Via H-Online -
A governmental digital certificate has been used to sign malware. According to a report by F-Secure, the certificate was used to sign a piece of malware which has been spread through malicious PDF files, dropped after an Acrobat Reader 8 exploit had taken place. It has been signed by "anjungnet.mardi.gov.my" – mardi.gov.my is the Malaysian Agricultural Research and Development Institute. To steal a certificate capable of signing, an attacker would need not just the certificate but also a passphrase; this could have been stolen by use of a key-logger.
The Malaysian authorities told F-Secure that the certificate had been stolen "quite some time ago"; it was valid from 29 September 2009 to 29 September 2011 and has therefore now expired, removing the advantage gained by the malware in being digitally signed in the first place – unsigned applications produce a warning when the user downloads them from the web, but valid signed applications do not. However, it is still very rare to find malware signed with a key that officially belongs to a government.
---------------------------------------------------------------------------------------
With the growth of code-signing technologies and requirements in modern operating system (e.g. Windows 7 64-bit), it is likely that the use of stolen or fraudulent certificates to sign malware will increase.
CCSS Forum - Digital Certificates Used by Malware
http://www.ccssforum.org/malware-certificates.php
Hat-tip to @diocyde for the CCSS Forum link.
No comments:
Post a Comment