Adobe’s revocation of a code-signing certificate that had been used by attackers to sign several malicious utilities sparked concerns in the security community about widespread malware attacks using those utilities. The key concern was that most antimalware systems will implicitly trust files that are digitally signed and so would pass them by without flagging them as malicious. However, security researchers say that the utilities, while still circulating, aren’t being used in large-scale attacks.
Adobe announced last week that it planned to revoke the certificate, saying that attackers had been able to compromise a machine on the company’s network and then gain access to a build server. The attackers then were able to request signatures from the Adobe certificate, which they received for three separate pieces of malware. Adobe actually revoked the certificate on Thursday, and Microsoft researchers took a look at the use of the three signed malware samples to see how often they were being used.
The three malicious utilities to look out for are PwDump7.exe, libeay.dll and myGeeksmail.dll.
“Adobe has revoked the certificate today for all software code signed after July 10, 2012 and are also in the process of issuing updates signed using a new digital certificate for all affected products,” Tanmay Ganacharya of Microsoft said in a blog post.
“We have been tracking this issue very closely and the telemetry shows that this issue is not prevalent and is being used in highly targeted attacks only. We will continue to monitor for new malware leveraging this issue.”
Adobe security officials said at the time that they announced the compromised certificate that they didn’t believe most users were at risk from attacks related to the malicious utilities.
“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” Brad Arkin, the company’s top security and privacy official, said. “We believe the vast majority of users are not at risk.”
Most of the major antimalware have signatures for the malicious utilities now and are able to identify them, so the risk of compromise is significantly lower than it was before Adobe announced the attack. The company handed the security companies advance information on the malicious utilities before the announcement to ensure that users were protected before the information became public.