Malware researchers have uncovered a new tactic fraudsters are employing to shield online attacks behind the guise of legitimate digital certificates.
Internet security provider Malwarebytes discovered variants of a new Trojan linked to a fictitious company in Brazil that had been legally registered. Jerome Segura, a senior researcher at Malwarebytes who recently blogged about this malicious software, says it appears the Brazilian company was established for the sole purpose of obtaining a verifiable digital certificate. From October to February, Segura discovered five variants of the same malware.
In the past week, he's identified 19 more variants.
The use of certificates to mask malware is not new: Hackers have for years tried to hide malicious code as legitimate files within fake certificates, Segura says. In 2012, Adobe's digital-certificate code-signing infrastructure was hacked. The attackers wound up creating at least two malicious files digitally signed via valid Adobe certification, Adobe later revealed. And in July, hackers stole code signing certificates from security firm Bit9 to illegitimately sign malware included in files that appeared to come from the company.
Now attackers have improved their methods a step further, says Segura, by establishing fake companies, rather than hacking code-signing servers, and to have their malware authenticated.
"This means the bad guys have the ability to break into an infrastructure with malware that has been signed with a real certificate," Segura says.
Digital certificates validate files. If malware is hidden in a validated file that is attached to an e-mail, it won't get flagged by the spam filter. When an e-mail with a contaminated file is opened, the e-mail user is connected to a server that downloads a Trojan to the desktop, which was the case with the Brazilian Trojan discovered by Malwarebytes, Segura says.
These types of attacks are often used in spear-phishing campaigns, he says. It's relatively easy for an attacker to find out or guess what type of antivirus software a targeted company is running and then develop a piece of malware that can't be detected."
The Brazilian Threat
In Brazil, Segura found that digital certificates were issued to a fake company called "Buster Paper Comercial Ltda."
The malicious file certified by Buster Paper is a PDF invoice, and the malware, when discovered, connected to a sub-domain for a cloud-storage company focused on file-sharing services, Segura says. "They were unaware that their services have been used to host malware," he writes in his blog.
This is an emerging vulnerability also noted by the global Anti-Phishing Working Group.
Paul Ferguson, vice president of threat intelligence for online security company IID (Internet Identity), a corporate member of the APWG, says sub-domains are being compromised more often to wage malicious attacks. Instead of hacking websites, phishers are breaking into Web servers that host domains - which then allows them to infect hundreds to thousands of websites at once.
In fact, during the first half of 2012, the APWG found that phishers registered more sub-domains than regular domains, with the number of domain names registered by hackers dropping nearly 50 percent since early 2011.
The Lesson for Security
Just because a file has been signed and validated no longer can guarantee that it's safe, Segura says.
"All these certificate authorities are doing is looking at the business and its registration," he says. "If the business looks legitimate, they grant the certificate."
Ferguson says the real problem is poor Internet hygiene. Until practices, such as the steps certificate authorities follow when issuing digital certificates, are cleaned up, the online world can expect malicious attacks to increase. "This is low hanging fruit for the attackers," Ferguson says.
Segura says, in the short-term, it's obvious certificate authorities need to be more responsive and proactive. In the case of the fake Brazilian company, Malwarebytes notified DigiCert, the authority that issued the certificate, and egnyte, the file host whose sub-domain was compromised.
"They did not act very quickly, and that is a major problem we are seeing in the industry," Segura says. "Their job is to sell certificates, not deny them. But they should do more background on these companies before they are issued a legal document."
Once these fake companies get registered and then receive legitimate certificates for malware, it's much more difficult for security programs and firms to detect the malicious, he says.
In the end, Segura says companies should follow the same best practices they would when addressing any phishing campaign. "Do not open an attachment, even from someone you know, without first doing a thorough check," he notes.
Other best practices include:
- Check file extension and being mindful of multiple file extensions, such as document.pdf.xls.exe;
- Be leery of file icons. "Just because it looks like a Word document or PDF file doesn't mean it is," he says.
"There is just so much malware out there," Segura says. "We can't always keep a tab on it. We found this Brazilian Trojan, but I can bet there are more than the 19 [variants] I have discovered out there."