Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Malware > Spyware Hides Behind Stolen Opera Digital Certificate

    Opera recently disclosed that attackers compromised their network and stole at least one expired Opera code signing certificate. The attackers then used this certificate to sign their malware, which tricked the target system and (even) security software into thinking that the file was legitimate.

    We obtained a sample of the said malware (which is detected as TSPY_FAREIT.ACU) that bears the outdated Opera certificate (see screenshot below). Similar to what Opera reported, the sample we acquired poses as an Opera update.

    Once executed, TSPY_FAREIT.ACU steals crucial information from certain FTP clients or file managers including usernames, passwords, and server names.

    Opera-fake-certificate-1
    Figure 1. Screenshot of stolen old Opera digital certificate

    Aside from FTP clients, TSPY_FAREIT.ACU gathers more information from Internet browsers (which include Mozilla Firefox, Google Chrome, and interestingly Opera), usually those stored on these browsers. These data are typically login credentials for as social networking, banking, and e-commerce websites etc. Using these information, the people behind the malware can get hold of your various online accounts or even initiate unauthorized transactions. They can also profit from these stolen data by selling these to the underground market.

    Opera estimates that several thousand of Windows users are affected as a result of their installed Opera software automatically installing the said malware bearing the outdated certificate. To address this issue, the software vendor promised to release a new version of their browser.

    This abuse of digital certificate to keep malware under the radar is not a new trick and has been proven effective in the past. A good example is the notorious FLAME attack that uses components bearing Microsoft-issued certificates. The screen-locking malware Police Ransomware was also previously found using fake digital certificates, in an attempt to elude digital certificate checks.

    Opera is also not the first software vendor to release an advisory warning its users of malware bearing their digital certificates. Last year Adobe issued an advisory informing users of malicious utilities carrying legitimated Adobe certificates.

    Trend Micro detects and deletes the said spyware bearing the said certificate. You may visit Opera’s site to know more about their advisory.

    With additional insights from Threat Researcher Alvin John Nieto.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, June 27th, 2013 at 6:18 pm and is filed under Malware . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice