• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cybercrime   »   Fake antivirus solutions increasingly have stolen code-signing certificates

Fake antivirus solutions increasingly have stolen code-signing certificates

  • Posted on:January 9, 2014
  • Posted in:Cybercrime, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
1

Malware often slips through the gates of IT security by pretending to be something else – perhaps an important billing notice sent via email, or a must-have antivirus solution that will wipe out all problems for free. Despite warnings from the security community, many users are still susceptible to these tricks, and perpetrators are finding new ways to disguise malware every day.

One of the more advanced tactics is to make malware look like legitimate antivirus software, replete with a digital code-signing certificate. For example, the Stuxnet worm from 2010 took this tack and distributed its files under certificates from two security vendors. Since that time, malware with stolen certificates has been a rare sight, but things may be changing.

While some strains recycle old certificates, more advanced variants steal certificates that were created only a few days prior, reducing the possibility that they will be invalidated. Antivirus Security Pro, one such piece of malware, has been around under many different names since at least 2009, and may be using more than a dozen stolen or fake certificates to mislead software developers and infect their systems.

CA certificates have become increasingly popular targets for malware creators and intelligence agencies, which may be creating fake certificates to conduct surveillance or man-in-the-middle attacks. Even Web browsers such as Mozilla Firefox have exhibited vulnerabilities that could be exploited for the creation and installation of rogue certificates.

In light of these developments, it is more important than ever to secure code-signing keys, for the sake of protecting user data and preserving business reputation. Vendors should also check more often for certificate revocation so that invalid certificates don’t slip past security.

How and why cybercriminals go after digital certificates
Digital certificates are issued by certifications authorities and serve as a seal indicating that a particular piece of software hasn’t been tampered with. Users can check the certificate’s cryptography to verify that the application actually came from its purported developer.

Accordingly, if a rogue party obtains a legitimate CA certificate, it can sign malware and make the program seem legitimate. Creators of digitally signed malware usually pay authorities for certificates, since the CAs would likely have no insight into whether the certificate would be used for malicious purposes.

Rather than go through the standard channels, many cybercriminals are now stealing certificates for use in their applications. Microsoft recently chronicled the evolution of a threat called Winwebsec, or Antivirus Security Pro, that employs certificates issued by authorities around the world. Its certificates come from some of the leading CAs and were issued to developers in the Netherlands, the U.S., the U.K., Canada, Germany and Russia.

Once installed, Antivirus Security Pro behaves like a cross between an antivirus scanner and ransomware. It interrupts users with constant bogus notifications that it has identified “malicious programs and viruses,” and the only way to get rid of the notices is to pay a fee to “register” the software. It may use Microsoft logos to seem legitimate and is known to download other malware or block traffic to certain websites.

Going after CA certificates has long been regarded as a difficult and risky process, since it requires that attackers break into an organization using legitimate certificates or breach the issuing CA itself. Still, some security experts have warned that certificate theft would become more prevalent as attackers sought ways around the driver signature enforcement in the 64-bit versions of Windows 7 and Vista.

In the wake of Stuxnet, malware authors created backdoors with rootkit drivers protected by stolen certificates. While revoking a certificate in response to such exploits usually isn’t a difficult process, the problem is that many operating systems do not check certificate revocation lists often enough, if they check them at all. As a result, signed malware has an ample window of time in which to damage the infected system.

Installers and modules are also targets of signed malware. Some legitimate antivirus solutions do not scan these signed files because they assume that they’re safe.

“[S]igned modules are more likely to be included in whitelisting collections meaning, the chance of them being fully analyzed is lower and they remain undetected for longer period of times,” explained security researcher Costin Raiu, according to InfoWorld.

Winwebsec, Fareit and other threats to certificate security
Winwebsec/Antivirus Security Pro isn’t the only signed malware to break onto the scene recently. It is closely related to several other variants, which it may download and/or interact with in order to dig deeper into the infected system.

Antivirus Security Pro may download Ursnif, a tool that monitors Web traffic and steal passwords. The similar Fariet malware, which contains features removed from early versions of Ursnif, can steal passwords from an FTP client and download additional copies of Antivirus Security Pro, creating a complex, self-sustaining web of signed malware.

Outside of the Antivirus Security are several other threats organizations should be aware of. A security researcher recently identified a flaw in Firefox that would permit a rogue extension to change the Internet proxy settings and install fake CA certificates in Windows.

Last month, Google reported that an intermediate CA linked to a French authority had been issuing fake SSL certificates for its domains. These certificates could have been used for inspecting encrypted Web traffic, spoofing content or performing man-in-the-middle attacks.

How to safely manage code-signing certificates
With certificates in the spotlight, developers and organizations must ensure that they’re keeping private keys safe. They can store the keys on a secure module, USB key or smart card. Any system storing certificates should feature regularly updated antivirus software and not be used for general Web browsing.

“Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential,” explained Microsoft in a blog post about Winwebsec. “Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware.”

Related posts:

  1. Big Changes Coming for Organizations that rely on TLS/SSL Certificates for Internal Domain Names
  2. Study: Sophisticated malware bypasses conventional antivirus solutions
  3. Hackers obtain strands of Symantec’s antivirus source code
  4. How to Secure Your Mac Against Fake Antivirus Malware

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Digital Transformation is Growing but May Be Insecure for Many
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.