Fake antivirus solutions increasingly have stolen code-signing certificates

Malware often slips through the gates of IT security by pretending to be something else – perhaps an important billing notice sent via email, or a must-have antivirus solution that will wipe out all problems for free. Despite warnings from the security community, many users are still susceptible to these tricks, and perpetrators are finding new ways to disguise malware every day.

One of the more advanced tactics is to make malware look like legitimate antivirus software, replete with a digital code-signing certificate. For example, the Stuxnet worm from 2010 took this tack and distributed its files under certificates from two security vendors. Since that time, malware with stolen certificates has been a rare sight, but things may be changing.

While some strains recycle old certificates, more advanced variants steal certificates that were created only a few days prior, reducing the possibility that they will be invalidated. Antivirus Security Pro, one such piece of malware, has been around under many different names since at least 2009, and may be using more than a dozen stolen or fake certificates to mislead software developers and infect their systems.

CA certificates have become increasingly popular targets for malware creators and intelligence agencies, which may be creating fake certificates to conduct surveillance or man-in-the-middle attacks. Even Web browsers such as Mozilla Firefox have exhibited vulnerabilities that could be exploited for the creation and installation of rogue certificates.

In light of these developments, it is more important than ever to secure code-signing keys, for the sake of protecting user data and preserving business reputation. Vendors should also check more often for certificate revocation so that invalid certificates don’t slip past security.

How and why cybercriminals go after digital certificates
Digital certificates are issued by certifications authorities and serve as a seal indicating that a particular piece of software hasn’t been tampered with. Users can check the certificate’s cryptography to verify that the application actually came from its purported developer.

Accordingly, if a rogue party obtains a legitimate CA certificate, it can sign malware and make the program seem legitimate. Creators of digitally signed malware usually pay authorities for certificates, since the CAs would likely have no insight into whether the certificate would be used for malicious purposes.

Rather than go through the standard channels, many cybercriminals are now stealing certificates for use in their applications. Microsoft recently chronicled the evolution of a threat called Winwebsec, or Antivirus Security Pro, that employs certificates issued by authorities around the world. Its certificates come from some of the leading CAs and were issued to developers in the Netherlands, the U.S., the U.K., Canada, Germany and Russia.

Once installed, Antivirus Security Pro behaves like a cross between an antivirus scanner and ransomware. It interrupts users with constant bogus notifications that it has identified “malicious programs and viruses,” and the only way to get rid of the notices is to pay a fee to “register” the software. It may use Microsoft logos to seem legitimate and is known to download other malware or block traffic to certain websites.

Going after CA certificates has long been regarded as a difficult and risky process, since it requires that attackers break into an organization using legitimate certificates or breach the issuing CA itself. Still, some security experts have warned that certificate theft would become more prevalent as attackers sought ways around the driver signature enforcement in the 64-bit versions of Windows 7 and Vista.

In the wake of Stuxnet, malware authors created backdoors with rootkit drivers protected by stolen certificates. While revoking a certificate in response to such exploits usually isn’t a difficult process, the problem is that many operating systems do not check certificate revocation lists often enough, if they check them at all. As a result, signed malware has an ample window of time in which to damage the infected system.

Installers and modules are also targets of signed malware. Some legitimate antivirus solutions do not scan these signed files because they assume that they’re safe.

“[S]igned modules are more likely to be included in whitelisting collections meaning, the chance of them being fully analyzed is lower and they remain undetected for longer period of times,” explained security researcher Costin Raiu, according to InfoWorld.

Winwebsec, Fareit and other threats to certificate security
Winwebsec/Antivirus Security Pro isn’t the only signed malware to break onto the scene recently. It is closely related to several other variants, which it may download and/or interact with in order to dig deeper into the infected system.

Antivirus Security Pro may download Ursnif, a tool that monitors Web traffic and steal passwords. The similar Fariet malware, which contains features removed from early versions of Ursnif, can steal passwords from an FTP client and download additional copies of Antivirus Security Pro, creating a complex, self-sustaining web of signed malware.

Outside of the Antivirus Security are several other threats organizations should be aware of. A security researcher recently identified a flaw in Firefox that would permit a rogue extension to change the Internet proxy settings and install fake CA certificates in Windows.

Last month, Google reported that an intermediate CA linked to a French authority had been issuing fake SSL certificates for its domains. These certificates could have been used for inspecting encrypted Web traffic, spoofing content or performing man-in-the-middle attacks.

How to safely manage code-signing certificates
With certificates in the spotlight, developers and organizations must ensure that they’re keeping private keys safe. They can store the keys on a secure module, USB key or smart card. Any system storing certificates should feature regularly updated antivirus software and not be used for general Web browsing.

“Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential,” explained Microsoft in a blog post about Winwebsec. “Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware.”