Stolen Malaysian key used to sign malicious software

News by Dan Raywood

A malicious program that uses a signing key has been detected.

A malicious program that uses a signing key has been detected.

According to F-Secure, a malicious program has been using a digital certificate that was stolen from the Malaysian government. This certificate has been used to legitimise software when users download it from the web, helping it to remain undetected.

Mikko Hypponen, chief research officer at F-Secure, claimed it is not that common to find a signed copy of malware, but it is even rarer that it is signed with an official government key.

“The malware itself has been spread via malicious PDF files that drop it after exploiting Adobe Reader 8. The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called esupplychain.com.tw,” he said.

F-Secure detected that the 'mardi.gov.uk' signing key was found to belong to the Malaysian Agricultural Research and Development Institute, and its investigations suggest that it was stolen quite some time ago.

Tal Be'ery, web security research team leader at Imperva, said: “Once more we are seeing an example of the growing trend in the theft of issued certificates by cyber-criminals. By using the stolen certificate, the malware appears to the operating system as a legitimate application and thus evades detection.

“We can expect to see more stories of stolen certificates in the coming year, as hackers have come to understand that the weakest link in SSL is the Public Key Infrastructure (PKI). PKI deals with all aspects of digital certificates, and hackers are launching a brutal attack against it.”

Be'ery claimed that this weakness is a direct consequence of the commoditisation of certificates, as smaller organisations are taking larger pieces of the certificate market.

“At the same time, any certificate authority (CA) can issue a digital certificate for any application not having to receive consent from application owner. When hackers gain control on any CA they can use it to issue fraudulent certificates and masquerade as any website,” he said.

“The same is true for code-signing certificates. Stealing the organisation's code-signing certificate is like stealing its rubber stamp. A stolen code-signing certificate enables the attacker to sign on whatever code they like. The browser will trust the downloaded code since it is properly signed. Therefore, the code-signing certificate is, and will continue to be, a prime target for malware distributers.”

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events