Tuesday, November 15, 2011

Stolen Malaysian Government Certificate Signed Malware

Via H-Online -

A governmental digital certificate has been used to sign malware. According to a report by F-Secure, the certificate was used to sign a piece of malware which has been spread through malicious PDF files, dropped after an Acrobat Reader 8 exploit had taken place. It has been signed by "anjungnet.mardi.gov.my" – mardi.gov.my is the Malaysian Agricultural Research and Development Institute. To steal a certificate capable of signing, an attacker would need not just the certificate but also a passphrase; this could have been stolen by use of a key-logger.

The Malaysian authorities told F-Secure that the certificate had been stolen "quite some time ago"; it was valid from 29 September 2009 to 29 September 2011 and has therefore now expired, removing the advantage gained by the malware in being digitally signed in the first place – unsigned applications produce a warning when the user downloads them from the web, but valid signed applications do not. However, it is still very rare to find malware signed with a key that officially belongs to a government.


---------------------------------------------------------------------------------------

With the growth of code-signing technologies and requirements in modern operating system (e.g. Windows 7 64-bit), it is likely that the use of stolen or fraudulent certificates to sign malware will increase.

CCSS Forum - Digital Certificates Used by Malware
http://www.ccssforum.org/malware-certificates.php

Hat-tip to @diocyde for the CCSS Forum link.

No comments:

Post a Comment