Adobe revokes certificate after hackers compromise server, sign malware

Filed Under: Adobe, Featured, Security threats, SophosLabs, Vulnerability

AdobeAdobe security chief Brad Arkin has warned that hackers have managed to create malicious files with Adobe's digital code-signing signature.

According to a blog post published on Thursday, the issue appears to have been the result of hackers compromising a vulnerable build server.

Malware seen using the digital signature includes pwdump7 v 7.1 (a utility that scoops up password hashes, and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll.)

According to Adobe, the second malicious utility is myGeeksmail.dll, a malicious ISAPI filter.

Adobe blog

Adobe plans next week to revoke the certificate for all code signed after July 10, 2012, according to an advisory from the company:

The certificate revocation will affect the following certificate:

  • sha1RSA certificate
  • Issued to Adobe Systems Incorporated
  • Issued by VeriSign Class 3 Code Signing 2010 CA
  • Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
  • sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
  • Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00)

However, even when a CA (Certificate Authority) revokes a certificate for an abused private key, any digital signature made before the revocation date will remain valid.

This very topic was covered in a paper presented by my SophosLabs colleague Mike Wood at the Virus Bulletin conference in Vancouver two years ago, "Want My Autograph? The use and abuse of digital signatures by malware".

For that reason, Adobe will be publishing updates for those existing Adobe software products which are signed using the compromised certificate.

SophosLabs has released detection for the malicious files that Adobe references in its advisory, identifying them as Troj/HkCert-A.

SophosLabs researchers are also actively exploring whether there are other threats that may have misused the same certificate.

Further information can be found in Adobe's security advisory (APSA12-01).

Since Mike Wood discussed the abuse of digital signatures in Vancouver two years ago, there have been several stories about certificate abuse in attacks.

It is probably just an odd coincidence that news of this latest instance of certificate abuse has come to light while the world's leading anti-virus experts are once again meeting at the Virus Bulletin conference, this time in Dallas.

, , ,

You might like

5 Responses to Adobe revokes certificate after hackers compromise server, sign malware

  1. Paul · 763 days ago

    What is the point of revoking a certificate after a given date? Surely If the private key as been compromised then all signed content should be marked as suspicious.

  2. Pat · 763 days ago

    This is just one more in a long line of weaknesses found in Adobe's stuff, are we going to be seeing the slow death of the company due to eroded confidence? I can't be the only one wondering if it's worth running it?

  3. Wiebke Lips, Adobe · 763 days ago

    Hi Paul,

    Could you update the reference to "Adobe plans next week to revoke the certificate for all code signed before July 10, 2012, according to an advisory from the company"--the certificate will be revoked for all code signed AFTER (not before) July 10, 2012.

    Thanks!!
    Wiebke

    • Graham Cluley · 763 days ago

      Thanks Wiebke. The article is now fixed. Apologies for the error.

  4. Djoni Filho · 763 days ago

    First get a Comodo certificate to sign your trojans, and now steal the certificate of adobe and use as your own? Wow!

    The hacker intelligence fascinates me. Of course I'm not happy with this knowledge used for evil, but anyone fascinated by information security when science has made ​​an almost unbelievable that such is impossible not to marvel at least with the highest technical level of these jinn (evil, but geniuses).

    Allow me to put this article translated with appropriate credit to the readers of my blog? Brazil needs to prepare.

    (Translated with Google Translator automatically)
    Country: Brazil.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.