In the 15 years or so of serious malware production before 2010, there had been perhaps a handful of examples of malicious programs using digitally signed binaries to bypass antimalware systems. The emergence of Stuxnet earlier this year brought this tactic into the center of the spotlight, and now researchers say that the new mobile Zeus variant that is targeting Symbian and BlackBerry devices is following suit, using a stolen digital certificate to help cloak itself from security systems.
Stuxnet has garnered a huge amount of attention in recent weeks, much of it focused on its supposed use as an offensive weapon against Iran’s nuclear program. The evidence supporting that supposition is circumstantial, but what’s known for certain is that Stuxnet was using two stolen digital certificates: one from RealTek and one from JMicron, two Taiwanese technology companies. One of the certificates was used to sign the driver for a component of the malware and the other was used to sign a binary that was installed as part of the attack.
There are two distinct and equally serious problems that the use of stolen digital certificates by malware presents. The first is the obvious issue of how the attackers got their hands on the RealTek and JMicron certificates. Both companies have offices in the same office park in Taiwan, and there has been speculation that one malicious contractor for a cleaning company or employee of the office park’s management group could have stolen both certificates somehow and sold them to Stuxnet’s creators. That’s perhaps the simplest scenario, but there are plenty of other ways for bad guys to get their hands on certificates, whether it’s by stealing an employee’s laptop or thumb drive or by using a sophisticated attack to impersonate the companies to a registrar and buy legitimate certificates.
Whatever the case, it’s a serious problem that’s made all the more troublesome by the fact that many antimalware products and other security applications will whitelist binaries and files that are digitally signed. These components are simply trusted and passed along in most cases. The creators of Stuxnet obviously knew this and used it to their advantage. In the wake of the Stuxnet attack, security experts said that they expected other malware authors to follow the lead of Stuxnet and begin using digial signatures to evade security software, and that prediction is already being fulfilled.
Earlier this week researchers warned of the discovery of a new variant of the Zeus Trojan that is aimed specifically at mobile online banking applications. The malware is designed to bypass the two-factor authentication mechanisms that some banking applications use, tricking victims into downloading a malicious component that enables the malware to steal one-time passwords sent by the bank to the victim’s mobile phone. It’s a clever technique, and as Jeremy Kirk of the IDG News Service reports, it’s aided by Zeus’ use of a digital certificate owned by an Azerbaijani firm.
Mobile phone software has followed the lead of desktop software in trusting signed binaries, and the problem is even more pronounced on mobile platforms thanks to the way that the mobile app stores are set up. The mobile Zeus variant targets Symbian and BlackBerry devices, both of which allow users to download and install applications from essentially any source at their discretion. That obviously can be dangerous if users aren’t careful about where they’re getting their software.
But it’s also a serious problem on platforms such as the iPhone that restrict users from installing apps that aren’t in the official App Store. Once a malicious application makes its way into the app store, it’s treated as a trusted piece of software and users have little way of knowing which apps are benign and which are malicious.
The increased use of stolen digital certificates is going to muddy these waters even further, placing more and more of a burden on users to try and decipher which apps and components are legit and which are aiming to steal their sensitive data. This is sub-optimal, to say the least.