Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    While conducting continuous threat-monitoring activities, Trend Micro threat researchers identified multiple suspicious files that included a strange digital signature. This signature immediately caught our attention, as it seemed to be signed by legitimate antivirus company Kaspersky.

    Click Click

    While checking the certificate, we noticed that the hash value applied to the suspect file was invalid. This is because hash values are specific to the original file to which they are applied whereas this particular signature has been stolen. Also, the signature had already expired. (The signature used in this case appears to be copied, ironically, from Kaspersky’s “ZbotKiller” cleaning tool.)

    Click Click

    Upon further investigation, we confirmed that the suspicious files are indeed malicious—ZeuS (ZBOT) variants detected as TSPY_ZBOT.BWP, TROJ_ZBOT.BYM, and TROJ_ZBOT.KJT.

    This isn’t the first time cybercriminals stole digital signatures. The first STUXNET malware was signed with a certificate from Realtek Semiconductors Corp., a later variant with JMicron Technology—although in both these cases the criminals had managed to gain access to the company’s private signing key.

    This fake Kaspersky certificate illustrates what seems to be a growing trend among cybercriminals and serves as a good reminder to users to always check the details of signatures and to ensure that they are valid.

    Certificates, unfortunately, can be copied by any cybercriminal with intent from any company—the antivirus company mentioned in this instance could not have prevented this incident from taking place—and it is likely that we will continue to see more such incidents in the future.

    Trend Micro has informed Kaspersky of this incident.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice