Opera breached, has code cert stolen, possibly spreads malware - advice on what to do

Filed Under: Featured, Malware

Norwegian-based Opera, makers of one of the most popular browsers outside the Big Four, has announced a scary-sounding network intrusion.

The official story is still somewhat unclear.

But here are the relevant paragraphs from Opera's official mea culpa document:

On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments.

The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.

It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate.

The title of the article is Security breach stopped, but that doesn't sound quite right to me.

The conclusions I reached, based on the announcement above, were:

  • The network was breached.
  • A code-signing key was stolen.
  • Malware has been signed with it and circulated.
  • At least one infected file was posted on an Opera server.
  • That file may have been downloaded and installed by Opera itself.
  • Cleanup and remediation has now been done at Opera.

That sounds a bit more like Security breach not stopped to me.

How else could a signed-and-infected file have been automatically downloaded by an already-installed instance of Opera?

Anyway, wouldn't Opera's auto-update have failed or produced a warning due to the expired certificate?

Until Opera has worked out the answer to these questions, Opera users probably want to assume the worst.

The good news is that the malware involved is widely detected by anti-virus tools, and the period of possible exposure via Opera itself was at most 36 minutes.

→ According to Opera, Sophos products block the offending file as Mal/Zbot-FG.

So, if you are an Opera for Windows user:

  • Download a fresh copy of the latest version (since the buggy download appears to be a thing of the past).
  • Make sure your anti-virus is up to date.
  • If you can spare the time, do an on-demand ("scan now") check of your computer.

If we find out more detail about whether malware was distributed by existing Opera installations or not, we'll let you know.

Sophos can help with an emergency cleanup of your Windows PC.

You can use the standalone Sophos Virus Removal Tool to detect and clean malware. This tool can be used alongside your existing anti-virus. (Free download, no registration required.)

You can download a fully-functioning evaluation version of Sophos EndUser Protection for Windows and use it for malware detection, prevention and clean-up. (Free download, registration required.)

Or you can use the Sophos Bootable Anti-Virus utility. SBAV requires you to download a Windows program to create and then use a bootable CD or USB key, so some technical expertise is recommended. The advantage of SBAV is that it is immune to malware already on your PC, as it runs from a self-contained Linux-based operating system. (Free download, no registration required.)

, , , ,

You might like

8 Responses to Opera breached, has code cert stolen, possibly spreads malware - advice on what to do

  1. This is really bad since Opera is my alternative browser.

  2. Anon · 396 days ago

    Current link in article to Mal~Zbot-FG description returns a 404

  3. Andrew S. Baker (ASB) · 396 days ago

    Security is not simply a product, but includes processes and people and infrastructure.

    Oh, and that was a terrible breach notification which leaves more questions than it answers.

  4. Meitzi · 396 days ago

    "Anyway, wouldn't Opera's auto-update have failed or produced a warning due to the expired certificate?"

    No. Signed files does not get old if you use timestamp.
    (timestamp wich say it was signed when certificate was valid...but was it really?)

  5. Richard · 396 days ago

    Be careful if you download a fresh copy of Opera and it's not your default browser - it will automatically register itself as the default browser without consent, and change your file associations for any files it can open.

    • ross · 396 days ago

      Richard, that is misleading. The Opera installer has an option for whether or not it should be the default browser, but if you just keep mashing "Next" you'll miss it.

  6. Bart · 395 days ago

    Opera is my main browser and I use a Mac.

    It seems there will be little chance of a new version before 15 stabilizes and I will wait for it to mature before using it.

    Thanks for the notice. Since I do use Sophos A-V I guess I am OK anyway.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog