Researchers from F-Secure have observed a piece of malware carrying an unusual piece of luggage – a valid code-signing certificate belonging to the government of Malaysia.
Code-signing certificates are meant to demonstrate the authenticity of a particular piece of software, making them potentially a hot commodity for people looking to dupe security mechanisms.
“Every now and then we run into malware that has been signed with a code signing certificate,” blogged Mikko Hypponen, chief research officer at F-Secure. “This is problematic, as an unsigned Windows application will produce a warning to the end user if he downloads it from the web — signed applications won't do this. Also some security systems might trust signed code more than unsigned code.”
The certificate in this case was signed by “anjungnet.mardi.gov.my,” a site belonging to Malaysia’s Agricultural Research and Development Institute. The certificate was stored on a server that was hacked, and apparently expired at the end of September. Authorities Malaysian told F-Secure the certificate was stolen “some time ago”, Hypponen noted.
“In some of these cases, the certificate has been created by the criminals just for the purpose for signing malware,” he added. “In other cases they steal code signing certificates (and their passphrases) so they can sign code as someone else.”
F-Secure detects the malware as Trojan-Downloader:W32/Agent.DTIW. The malware itself is propagating through malicious PDF files that drop after exploiting a vulnerability in Adobe Reader 8. The malware then downloads malicious components from a server called worldnewsmagazines.org. Some of the components are signed by an entity called esupplychain.com.tw.
In an email to SecurityWeek, Hypponen described the situation as a targeted attack focused on an organization in Asia.
While rare, malware using digital certificates is not unheard of. Most infamously, Stuxnet installed drivers digitally signed by RealTek Semiconductor and JMicron Technology. In the past several months, the security of certificate authorities has been front and center. Earlier this month, Microsoft and Mozilla announced they were revoking trust in certificates issued by Malaysian CA Digicert after it was discovered its certificates used weak 512-bit keys and were missing certain certificate extensions.