I spent some time last week looking into the digital signature involved with the recent zero day malware targeting Adobe Reader. Similar to the Stuxnet situation, Verisign has revoked the signing certificate used to sign the payload associated with this attack.
The way software signing certificates work is that a root Certificate Authority (CA) can issue signing certificates to software companies.
In this case it appears Vantage Credit Union was using this certificate issued by Verisign to sign software allowing their customers to use Quicken and Microsoft Money to communicate securely with their systems.
Certificates also have an attribute showing where their CRL (Certificate Revocation List) can be checked.
This is a list of signing certificates that should not be trusted as they have been compromised.
Here is a picture of what you see looking at the digitally signed DLL shipped with the malware. Now that Verisign has revoked the certificate you can see Windows reports “A certificate was explicitly revoked by it’s issuer”. Computer World reported that after the revocation some bank customers experienced difficulties doing online banking. The good news is that it would seem that this particular malware has now been put out of commission.
This may not matter if it was only used as a targeted attack, but it certainly shows the downside of using a stolen certificate to sign your malware. It may draw more of the wrong kind of attention than you really desire.
It is also demonstrating that people who are buying Authenticode signing certificates are not implementing sensible protections for their keys.
I am not a big fan of the chain of trust as I do not know who should be trusted nor do I know what their practices are for securely managing and storing these certificates. I am sure this bank is perceived as a trustworthy institution withing the communities they serve, but that does not mean they live up to my expectations for security. This doesn’t even take into account that just about anyone who chooses can buy one of these certificates without strong verification or reason for trust.
Be careful what/who you trust and if you will be at Virus Bulletin here in Vancouver at the end of the month, be sure to attend SophosLabs researcher Mike Wood’s presentation on the