Client Login
 Quick Contact
Malware Stealing Digital Certificate Invokes Security Concerns
Category : General 07 Aug 2010 04:48 AM | Industry News
Researchers at Trend Micro recently found a variant of the Zeus Trojan that used a certificate belonging to Kaspersky Lab's ZbotKiller product, which ironically is designed to destroy Zeus. Though the certificate was expired, the idea was for the malware to use it to look legitimate.
Unlike in the case of the Stuxnet malware, which installs drivers digitally signed by RealTek Semiconductor and JMicron Technology, the authors of the Zeus variant did not actually steal the certificate and sign files with it. Instead, they simply cut and pasted the signature from another file, explained Roel Schouwenberg, senior antivirus researcher with Kaspersky.
Finally, a report from Trend Micro offers a unique view into some of the more uncommon aspects of Zeus. One of the modules for the Malware system allows a criminal to snatch digital signatures.
While performing diagnosis on some new samples of Zeus itself, Trend Micro discovered several files with a strange digital signature. Worse, the signature belonged to Kaspersky, another well-known security vendor.
“This signature immediately caught our attention, as it seemed to be signed by legitimate antivirus company Kaspersky,” Trend explained in a blog post.
“While checking the certificate, we noticed that the hash value applied to the suspect file was invalid. This is because hash values are specific to the original file to which they are applied whereas this particular signature has been stolen. Also, the signature had already expired.”
The stolen certificate itself came from Kaspersky’s ZBot cleaning tool that targets Zeus installations.
“Certificates, unfortunately, can be copied by any cybercriminal with intent from any company—the antivirus company mentioned in this instance could not have prevented this incident from taking place—and it is likely that we will continue to see more such incidents in the future,” Trend added.
Recently, the Stuxnet family of Malware was seen using stolen digital signatures from Realtek Semiconductors Corp. and JMicron Technology.