No certificate for you! Verisign revokes cert from malware fiends

Filed Under: Malware, Vulnerability

Screenshot of revocation for certificate used to malware that exposed CVE 2010-2883

I spent some time last week looking into the digital signature involved with the recent zero day malware targeting Adobe Reader. Similar to the Stuxnet situation, Verisign has revoked the signing certificate used to sign the payload associated with this attack.

The way software signing certificates work is that a root Certificate Authority (CA) can issue signing certificates to software companies.

In this case it appears Vantage Credit Union was using this certificate issued by Verisign to sign software allowing their customers to use Quicken and Microsoft Money to communicate securely with their systems.

Certificates also have an attribute showing where their CRL (Certificate Revocation List) can be checked.

This is a list of signing certificates that should not be trusted as they have been compromised.

Screenshot of certificate post-revocation

Here is a picture of what you see looking at the digitally signed DLL shipped with the malware. Now that Verisign has revoked the certificate you can see Windows reports "A certificate was explicitly revoked by it's issuer". Computer World reported that after the revocation some bank customers experienced difficulties doing online banking. The good news is that it would seem that this particular malware has now been put out of commission.

This may not matter if it was only used as a targeted attack, but it certainly shows the downside of using a stolen certificate to sign your malware. It may draw more of the wrong kind of attention than you really desire.

It is also demonstrating that people who are buying Authenticode signing certificates are not implementing sensible protections for their keys.

I am not a big fan of the chain of trust as I do not know who should be trusted nor do I know what their practices are for securely managing and storing these certificates. I am sure this bank is perceived as a trustworthy institution withing the communities they serve, but that does not mean they live up to my expectations for security. This doesn't even take into account that just about anyone who chooses can buy one of these certificates without strong verification or reason for trust.

Be careful what/who you trust and if you will be at Virus Bulletin here in Vancouver at the end of the month, be sure to attend SophosLabs researcher Mike Wood's presentation on the use and abuse of digital certificates by the malware community.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.