Digital Certificates Hide Malware

Fraudsters' Fake Companies Fool Cert Authorities

By , March 11, 2013.
Digital Certificates Hide Malware

Malware researchers have uncovered a new tactic fraudsters are employing to shield online attacks behind the guise of legitimate digital certificates.

See Also: The Enterprise at Risk: The 2015 State of Mobility Security

Internet security provider Malwarebytes discovered variants of a new Trojan linked to a fictitious company in Brazil that had been legally registered. Jerome Segura, a senior researcher at Malwarebytes who recently blogged about this malicious software, says it appears the Brazilian company was established for the sole purpose of obtaining a verifiable digital certificate. From October to February, Segura discovered five variants of the same malware.

In the past week, he's identified 19 more variants.

The use of certificates to mask malware is not new: Hackers have for years tried to hide malicious code as legitimate files within fake certificates, Segura says. In 2012, Adobe's digital-certificate code-signing infrastructure was hacked. The attackers wound up creating at least two malicious files digitally signed via valid Adobe certification, Adobe later revealed. And in July, hackers stole code signing certificates from security firm Bit9 to illegitimately sign malware included in files that appeared to come from the company.

Now attackers have improved their methods a step further, says Segura, by establishing fake companies, rather than hacking code-signing servers, and to have their malware authenticated.

"This means the bad guys have the ability to break into an infrastructure with malware that has been signed with a real certificate," Segura says.

Digital certificates validate files. If malware is hidden in a validated file that is attached to an e-mail, it won't get flagged by the spam filter. When an e-mail with a contaminated file is opened, the e-mail user is connected to a server that downloads a Trojan to the desktop, which was the case with the Brazilian Trojan discovered by Malwarebytes, Segura says.

These types of attacks are often used in spear-phishing campaigns, he says. It's relatively easy for an attacker to find out or guess what type of antivirus software a targeted company is running and then develop a piece of malware that can't be detected."

The Brazilian Threat

In Brazil, Segura found that digital certificates were issued to a fake company called "Buster Paper Comercial Ltda."

The malicious file certified by Buster Paper is a PDF invoice, and the malware, when discovered, connected to a sub-domain for a cloud-storage company focused on file-sharing services, Segura says. "They were unaware that their services have been used to host malware," he writes in his blog.

This is an emerging vulnerability also noted by the global Anti-Phishing Working Group.

Paul Ferguson, vice president of threat intelligence for online security company IID (Internet Identity), a corporate member of the APWG, says sub-domains are being compromised more often to wage malicious attacks. Instead of hacking websites, phishers are breaking into Web servers that host domains - which then allows them to infect hundreds to thousands of websites at once.

In fact, during the first half of 2012, the APWG found that phishers registered more sub-domains than regular domains, with the number of domain names registered by hackers dropping nearly 50 percent since early 2011.

The Lesson for Security

Just because a file has been signed and validated no longer can guarantee that it's safe, Segura says.

"All these certificate authorities are doing is looking at the business and its registration," he says. "If the business looks legitimate, they grant the certificate."

Ferguson says the real problem is poor Internet hygiene. Until practices, such as the steps certificate authorities follow when issuing digital certificates, are cleaned up, the online world can expect malicious attacks to increase. "This is low hanging fruit for the attackers," Ferguson says.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Police Disrupt Banking Malware Botnet

Authorities have disrupted a botnet that was serving up the Ramnit banking malware, which has...

Latest Tweets and Mentions

ARTICLE Police Disrupt Banking Malware Botnet

Authorities have disrupted a botnet that was serving up the Ramnit banking malware, which has...

The ISMG Network