Adobe security chief Brad Arkin has warned that hackers have managed to create malicious files with Adobe’s digital code-signing signature.
According to a blog post published on Thursday, the issue appears to have been the result of hackers compromising a vulnerable build server.
Malware seen using the digital signature includes pwdump7 v 7.1 (a utility that scoops up password hashes, and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll.)
According to Adobe, the second malicious utility is myGeeksmail.dll, a malicious ISAPI filter.
Adobe plans next week to revoke the certificate for all code signed after July 10, 2012, according to an advisory from the company:
The certificate revocation will affect the following certificate:
- sha1RSA certificate
- Issued to Adobe Systems Incorporated
- Issued by VeriSign Class 3 Code Signing 2010 CA
- Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
- sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
- Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00)
However, even when a CA (Certificate Authority) revokes a certificate for an abused private key, any digital signature made before the revocation date will remain valid.
This very topic was covered in a paper presented by my SophosLabs colleague Mike Wood at the Virus Bulletin conference in Vancouver two years ago, “Want My Autograph? The use and abuse of digital signatures by malware”.
For that reason, Adobe will be publishing updates for those existing Adobe software products which are signed using the compromised certificate.
SophosLabs has released detection for the malicious files that Adobe references in its advisory, identifying them as Troj/HkCert-A.
SophosLabs researchers are also actively exploring whether there are other threats that may have misused the same certificate.
Further information can be found in Adobe’s security advisory (APSA12-01).
Since Mike Wood discussed the abuse of digital signatures in Vancouver two years ago, there have been several stories about certificate abuse in attacks.
It is probably just an odd coincidence that news of this latest instance of certificate abuse has come to light while the world’s leading anti-virus experts are once again meeting at the Virus Bulletin conference, this time in Dallas.Follow @SophosLabs