Researchers at Microsoft say a sophisticated family of rogue antivirus malware has reappeared using at least a dozen digital code-signing certificates.
The use of the certificates is yet another example of malware authors abusing the Internet’s trust ecosystem in order to comprise users. With a stolen certificate in tow, a cybercriminal can sign a piece of malware and make it appear as though it is software from a legitimate developer.The tactic is not new; in fact, the notorious Stuxnet malware was observed using a valid signature when it was discovered by the security community in 2010.
During the past month, a rogue antivirus program known as ‘Antivirus Security Pro’ (detected as Rogue:Win32/Winwebsec) has stepped up and adopted the tactic in a big way, as Microsoft speculates that the dozen or so certificates it has seen being used may just be the tip of the iceberg if there are other variants are out there.
“A related family, TrojanSpy:Win32/Ursnif, has also been distributed with files signed using stolen credentials,” blogged David Wood of Microsoft’s Malware Protection Center. “We have observed Winwebsec downloading Ursnif, a Trojan that monitors web traffic, and steals sensitive information, including passwords. Earlier variants of Ursnif were also capable of stealing certificates and private keys, but this functionality does not appear to be present in the latest versions. Instead, it appears to have been added to certain samples of PWS:Win32/Fareit.”
The certificates used by Antivirus Security Pro were issued to developers by some of the most prominent certificate authorities in the world, including VeriSign and Comodo. According to Microsoft, one of these certificates was issued just three days before researchers saw malware samples signed with it, suggesting that the malware’s distributors are regularly stealing new certificates as opposed to using older certificates they previously stockpiled.
“Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential,” Wood blogged. “Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware.”
“Certainly, no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand,” he continued.