Stolen Digital Certificates Becoming Standard Malware Components

In the 15 years or so of serious malware production before 2010, there had been perhaps a handful of examples of malicious programs using digitally signed binaries to bypass antimalware systems. The emergence of Stuxnet earlier this year brought this tactic into the center of the spotlight, and now researchers say that the new mobile Zeus variant that is targeting Symbian and BlackBerry devices is following suit, using a stolen digital certificate to help cloak itself from security systems.

In the 15 years or so of serious malware production before 2010, there had been perhaps a handful of examples of malicious programs using digitally signed binaries to bypass antimalware systems. The emergence of Stuxnet earlier this year brought this tactic into the center of the spotlight, and now researchers say that the new mobile Zeus variant that is targeting Symbian and BlackBerry devices is following suit, using a stolen digital certificate to help cloak itself from security systems.

Stuxnet has garnered a huge amount of attention in recent weeks, much of it focused on its supposed use as an offensive weapon against Iran’s nuclear program. The evidence supporting that supposition is circumstantial, but what’s known for certain is that Stuxnet was using two stolen digital certificates: one from RealTek and one from JMicron, two Taiwanese technology companies. One of the certificates was used to sign the driver for a component of the malware and the other was used to sign a binary that was installed as part of the attack.

There are two distinct and equally serious problems that the use of stolen digital certificates by malware presents. The first is the obvious issue of how the attackers got their hands on the RealTek and JMicron certificates. Both companies have offices in the same office park in Taiwan, and there has been speculation that one malicious contractor for a cleaning company or employee of the office park’s management group could have stolen both certificates somehow and sold them to Stuxnet’s creators. That’s perhaps the simplest scenario, but there are plenty of other ways for bad guys to get their hands on certificates, whether it’s by stealing an employee’s laptop or thumb drive or by using a sophisticated attack to impersonate the companies to a registrar and buy legitimate certificates.

Whatever the case, it’s a serious problem that’s made all the more troublesome by the fact that many antimalware products and other security applications will whitelist binaries and files that are digitally signed. These components are simply trusted and passed along in most cases. The creators of Stuxnet obviously knew this and used it to their advantage. In the wake of the Stuxnet attack, security experts said that they expected other malware authors to follow the lead of Stuxnet and begin using digial signatures to evade security software, and that prediction is already being fulfilled.

Earlier this week researchers warned of the discovery of a new variant of the Zeus Trojan that is aimed specifically at mobile online banking applications. The malware is designed to bypass the two-factor authentication mechanisms that some banking applications use, tricking victims into downloading a malicious component that enables the malware to steal one-time passwords sent by the bank to the victim’s mobile phone. It’s a clever technique, and as Jeremy Kirk of the IDG News Service reports, it’s aided by Zeus’ use of a digital certificate owned by an Azerbaijani firm.

Mobile phone software has followed the lead of desktop software in trusting signed binaries, and the problem is even more pronounced on mobile platforms thanks to the way that the mobile app stores are set up. The mobile Zeus variant targets Symbian and BlackBerry devices, both of which allow users to download and install applications from essentially any source at their discretion. That obviously can be dangerous if users aren’t careful about where they’re getting their software.

But it’s also a serious problem on platforms such as the iPhone that restrict users from installing apps that aren’t in the official App Store. Once a malicious application makes its way into the app store, it’s treated as a trusted piece of software and users have little way of knowing which apps are benign and which are malicious.

The increased use of stolen digital certificates is going to muddy these waters even further, placing more and more of a burden on users to try and decipher which apps and components are legit and which are aiming to steal their sensitive data. This is sub-optimal, to say the least.

Suggested articles

Discussion

  • Alex on

    Wow this is interesting, I didn't realize so many anti-malware products whitelist digitally signed binaries and files.

    I've working with a product called Cocoon which is cloud-based malware prevention and online privacy software, and is currently available as a Firefox add-on. Cocoon is also free because it's in beta.

    This software offers great protection. While browsing, Cocoon prevents websites loaded with malware from opening and protects users from drop-off downloads. It also anonymizes users' IP addresses and stores all of your cookies and browsing history on protected servers so that nobody can access it accept for the user.

    Check it out here:

    https://getcocoon.com/

    Here is a video explaining how it works:

    http://www.youtube.com/watch?v=oRM4aWiCwxk

  • Wes Kussmaul on

    This headline and story present yet another illustration of why people get confused about certificates and PKI.

    Certificates don't get stolen. Certificates are signed public keys (and other pertinent information). It's the _private_ keys that get stolen.

    (Typically they get stolen because accountability is not assigned to a particular individual.)

  • ghettohacker inc on

    @Kussmaul, good point.  While I disagree with accountibility to be signed to an individual, more rigerous standards could prevent this sort of thing.  Practices such as using biometrics or smart cards to enter the private keys would greatly eliminate the need for employees to have access to the keys.  Another, less secure option would be to split the private keys between 3 or more people, to also eliminate the same burden of one person having all the information.

  • Scott Wright on

    This story is disturbing in a different way than what is being emphasized. Theft of a digital certificate should not really be a threat, in itself. As I haven't seen any stories describing the theft at any level of detail, I'd like to know more about the private signing keys being used in the attack. This seems like an important part of the attack.

    For an attack on a digital signature to be successful, the private signing key is usually what's compromised, so the attacker can forge the signature that matches a public key certificate that everyone trusts. Certificates are meant to be public.

    So, is it the malware vendors' private keys thare are being abused, or is it a private key on the client side? It's not clear.

    Where can we find out more information on this issue. Theft of certificates should not be a big news story.

    Thanks

    Scott Wright
    Security and Privacy Consultant
    Ottawa, Canada

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.