- Published: 17 November 2011
- Written by NStinchcombe
According to a report by F-Secure, the certificate was used to sign a piece of malware which has been spread through malicious PDF files, dropped after an Acrobat Reader 8 exploit had taken place.
Tal Be’ery, Web Security Researcher at Imperva comments “Once more we are seeing an example of the growing trend in the theft of issued certificates by cyber-criminals. This time, F-Secure published an analysis of a widespread malware strain which used a stolen certificate belonging to the Malaysian Agricultural Research and Development. By using the stolen certificate, the malware appears to the operating system as a legitimate application and thus evades detection.
We can expect to see more stories of stolen certificates in the upcoming year, as hackers have come to understand that the weakest link in SSL is the Public Key Infrastructure (PKI). PKI deals with all aspects of digital certificates – and hackers are launching a brutal attack against it.
Attackers have compromised repeatedly various Certificate Authorities (CA) organizations this year including DigiNotar(http://www.theregister.co.uk/2011/09/20/diginotar_bankrupt/ ) and GlobalSign(http://www.theregister.co.uk/2011/09/07/globalsign_suspends_ssl_cert_biz/). This is a direct consequence of the commoditization of certificates as smaller; less competent organizations are taking larger pieces of the certificate market. At the same time, any CA can issue a digital certificate for any application not having to receive consent from application owner. When hackers gain control on any CA they can use it to issue fraudulent certificates and masquerade any website.
The same is true for code signing certificates - Stealing the organization's code signing certificate is like stealing its rubber stamp. A stolen rubber stamp enables the attacker to sign on cheques and fill in an arbitrary amount and beneficiary. The bank will trust the cheque since it's signed. A stolen code signing certificate enables the attacker to sign on whatever code they like. The browser will trust the downloaded code since it is properly signed. Therefore, code signing certificate is, and will continue to be, a prime target for malware distributers.”