F-Secure researchers claim that malware spreading via malicious PDF files is signed with a valid certificate stolen from the Government of Malaysia, in just the latest evidence that scammers are using gaps in the security of digital certificates to help spread malicious code.
The malware,identified by F-Secure as a Trojan horse program dubbed Agent.DTIW, was detected in a signed Adobe PDF file by the company’s virus researchers recently. The malicious PDF was signed using a valid digital certificate for mardi.gov.my, the Agricultural Research and Development Institute of the Government of Malaysia. According to F-Secure, the Government of Malaysia confirmed that the certificate was legitimate and had been stolen “quite some time ago.”
Valid digital certificates can be used to authenticate malicious programs and bypass operating system warnings designed to appear when users attempt to run the application.
According to F-Secure, the Agent.DTIW malware exploits a known vulnerability in Adobe Reader 8 to gain a foothold on a vulnerable system, then downloads additional malicious modules from a server at the domain worldnewsmagazines.org. Some of those malicious objects were also found to be signed, though using a certificate from a commercial Web site.
Stolen digital certificates are a more and more common element of malicious software, security researchers say. The Stuxnet malware famously used stolen digital certificates to bypass security protections on systems it infected. (). Recent months have also seen attacks leveraged at certificate authorities and their affiliates, presumably by attackers who want the ability to generate valid certificates for high profile domains that might later be used in man-in-the-middle type attacks. Certificates like the Dutch firms Diginotar and KPN were compromised in such attacks, as was the CA Comodo. Certificate authorities and forged digital certificates have figured prominently in the news recently.
You can read more on F-Secure’s blog here.