Monday, November 14, 2011

Digital Certificate Stolen from Malaysian Government Used to Sign Malware

[caption id="attachment_1741" align="alignright" width="300" caption="Screenshot Credit F-Secure"]File Properties for Malware Signed with Stolen Government Certificates[/caption]

Researchers at F-Secure have discovered that a code signing certificate stolen from the Government of Malaysia is being used to sign malware.

Malware that has been signed with a code signing certificate can be troublesome as they’re typically trusted more than an unsigned application. Warnings are displayed to the end-user if they attempt to open an unsigned application downloaded from the web. However, there’s nothing to show if the program is signed.

Stumbling across signed malware is quite the rarity, let alone malware toting the official keys of a stolen government certificate.

According to F-Secure, the certificate used to sign the malware being spread belongs to the Malaysian Agricultural Research and Development Institute and is reported to have been stolen “a long time ago.”

The file properties on the sample analyzed by F-Secure researchers show:
Publisher: Adobe Systems Incorporated
Copyright: Copyright (C) 2010
Product: Adobe Systems Apps
File version: 8, 0, 12, 78
Comments: Product of Adobe Systems

The signing info reads:

Signer: anjungnet.mardi.gov.my
Digisign Server ID (Enrich)
GTE CyberTrust Global Root
Signing date: 5:36 24/08/2011

The malware, identified as Trojan-Downloader:W32/Agent.DTIW , is being spread via malicious PDF files and exploits a known vulnerability within Adobe Reader 8 to take hold of the targeted machine. The Trojan then opens up a backdoor and downloads additional malware from a server at worldnewsmagazines.org.

Some of the additional malware that’s downloaded are also signed, although the signatures belong to www.esupplychain.tw and not the Government of Malaysia.

Thankfully the stolen certificate used on this particular piece of malware expired on September 29th, 2011, although this serves as a reminder that just because an application is signed doesn't mean that it's safe.

You can see the full report from F-Secure here.

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest tech news and computer security threats.

No comments:

Post a Comment