Adobe security chief Brad Arkin has warned that hackers have managed to create malicious files with Adobe’s digital code-signing signature.
According to a blog post published on Thursday, the issue appears to have been the result of hackers compromising a vulnerable build server.
Malware seen using the digital signature includes pwdump7 v 7.1 (a utility that scoops up password hashes, and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll.)
According to Adobe, the second malicious utility is myGeeksmail.dll, a malicious ISAPI filter.
Adobe plans next week to revoke the certificate for all code signed after July 10, 2012, according to an advisory from the company:
The certificate revocation will affect the following certificate:
- sha1RSA certificate
- Issued to Adobe Systems Incorporated
- Issued by VeriSign Class 3 Code Signing 2010 CA
- Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
- sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
- Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00)
However, even when a CA (Certificate Authority) revokes a certificate for an abused private key, any digital signature made before the revocation date will remain valid.
This very topic was covered in a paper presented by my SophosLabs colleague Mike Wood at the Virus Bulletin conference in Vancouver two years ago, “Want My Autograph? The use and abuse of digital signatures by malware”.
For that reason, Adobe will be publishing updates for those existing Adobe software products which are signed using the compromised certificate.
SophosLabs has released detection for the malicious files that Adobe references in its advisory, identifying them as Troj/HkCert-A.
SophosLabs researchers are also actively exploring whether there are other threats that may have misused the same certificate.
Further information can be found in Adobe’s security advisory (APSA12-01).
Since Mike Wood discussed the abuse of digital signatures in Vancouver two years ago, there have been several stories about certificate abuse in attacks.
It is probably just an odd coincidence that news of this latest instance of certificate abuse has come to light while the world’s leading anti-virus experts are once again meeting at the Virus Bulletin conference, this time in Dallas.
5 comments on “Adobe revokes certificate after hackers compromise server, sign malware”
What is the point of revoking a certificate after a given date? Surely If the private key as been compromised then all signed content should be marked as suspicious.
This is just one more in a long line of weaknesses found in Adobe's stuff, are we going to be seeing the slow death of the company due to eroded confidence? I can't be the only one wondering if it's worth running it?
Could you update the reference to "Adobe plans next week to revoke the certificate for all code signed before July 10, 2012, according to an advisory from the company"–the certificate will be revoked for all code signed AFTER (not before) July 10, 2012.
Thanks Wiebke. The article is now fixed. Apologies for the error.
First get a Comodo certificate to sign your trojans, and now steal the certificate of adobe and use as your own? Wow!
The hacker intelligence fascinates me. Of course I'm not happy with this knowledge used for evil, but anyone fascinated by information security when science has made an almost unbelievable that such is impossible not to marvel at least with the highest technical level of these jinn (evil, but geniuses).
Allow me to put this article translated with appropriate credit to the readers of my blog? Brazil needs to prepare.
(Translated with Google Translator automatically)