Researchers at Microsoft say a sophisticated family of rogue antivirus malware has reappeared using at least a dozen digital code-signing certificates.
The use of the certificates is yet another example of malware authors abusing the Internet’s trust ecosystem in order to comprise users. With a stolen certificate in tow, a cybercriminal can sign a piece of malware and make it appear as though it is software from a legitimate developer.The tactic is not new; in fact, the notorious Stuxnet malware was observed using a valid signature when it was discovered by the security community in 2010.
During the past month, a rogue antivirus program known as ‘Antivirus Security Pro’ (detected as Rogue:Win32/Winwebsec) has stepped up and adopted the tactic in a big way, as Microsoft speculates that the dozen or so certificates it has seen being used may just be the tip of the iceberg if there are other variants are out there.
“A related family, TrojanSpy:Win32/Ursnif, has also been distributed with files signed using stolen credentials,” blogged David Wood of Microsoft’s Malware Protection Center. “We have observed Winwebsec downloading Ursnif, a Trojan that monitors web traffic, and steals sensitive information, including passwords. Earlier variants of Ursnif were also capable of stealing certificates and private keys, but this functionality does not appear to be present in the latest versions. Instead, it appears to have been added to certain samples of PWS:Win32/Fareit.”
The certificates used by Antivirus Security Pro were issued to developers by some of the most prominent certificate authorities in the world, including VeriSign and Comodo. According to Microsoft, one of these certificates was issued just three days before researchers saw malware samples signed with it, suggesting that the malware’s distributors are regularly stealing new certificates as opposed to using older certificates they previously stockpiled.
“Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential,” Wood blogged. “Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware.”
“Certainly, no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand,” he continued.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
