Trend Micro has uncovered a variant of the Zeus Trojan using an expired digital certificate belonging to Kaspersky Lab, while the Stuxnet malware is known to have used certificates stolen from legitimate companies.
Two recent examples of malware utilizing digital signatures belonging to
legitimate companies have put a spotlight on the question of what to do about
Researchers at Trend Micro recently found a variant of the Zeus
Trojan that used a certificate belonging to Kaspersky Lab's ZbotKiller product,
which ironically is designed to destroy Zeus. Though the certificate was
expired, the idea was for the malware to use it to look legitimate.
Unlike in the case of the Stuxnet
malware, which installs drivers digitally signed by RealTek Semiconductor and
the authors of the Zeus variant did not actually steal
the certificate and sign files with it. Instead, they simply cut and pasted the
signature from another file, explained Roel Schouwenberg, senior antivirus
researcher with Kaspersky.
"The new variant of Zeus simply contains a signature which was copy-pasted
from another file," Schouwenberg said. "This doesn't produce a valid
signature nor does it involve a breach of our certificate integrity, unlike the
case with Stuxnet versus RealTek and JMicron."
According to Schouwenberg, the problem can partly be addressed by Microsoft.
"Whenever you're trying to install new software which is signed,
Windows asks you, Do you trust Publisher X? That gives the user a clear
indication where the software is coming from," he explained. "So that
happens when the signature is valid. However, when the digital signature isn't
valid Windows simply treats the file as an unsigned file ... If Windows would
simply alert the user that the certificate was invalid and the file should not
be run we would be a lot better off."
The RealTek certificate used to sign the Stuxnet drivers expired in June;
the JMicron certificate expires in July of 2012. Since Stuxnet is now believed
to have been out for more than a year, it's possible such a warning wouldn't
have helped many users infected by the worm. However, it could help address the
problem of malware writers copying certificates-something that has been done
for years now, Schouwenberg said.
Microsoft said it has been in contact with Kaspersky and is evaluating the
incident. However, Gartner analyst John Pescatore noted the problem is bigger
than the operating system.
"It isn't just Windows, it is pretty much every browser, every
OS," Pescatore said. "If a certificate is expired or invalid, some
popup is shown to the user. But since legitimate software vendors often fail to
renew certificates on time, users get trained to just click thru the popups,
and the use of the certificate becomes meaningless-it is like the FBI warning
at the start of every DVD movie.
"Now, it would be a good thing for the [Certificate Authority/Browser
Forum] to come up with some agreed upon standards for how to handle different
issues-an expired cert warning should be very different than a warning for a
cert where the signature is invalid, etc," he continued. "And they
need to do a lot of education [of] users to make the difference clear."
While Stuxnet provides a high-profile example, an attack where digital
certificates are actually stolen is quite rare, said Ben Greenbaum, senior
research manager for Symantec Security Response.
"It involves getting inside an organization and stealing their private
PGP key that is used for actually signing files," Greenbaum said.
Stuxnet's success in utilizing a stolen certificate does not make the
certificates themselves irrelevant, he added.
"Maintaining secure control over private signing certificates has
always been the key to the proper operation of application signing, and given
the rarity of threats that utilize stolen certificates, I think that in general
organizations do a pretty good job of this," he said. "It might be
easier to think of it in this way: If one person loses a key to their house or
has it stolen, that doesn't mean all door locks have all of a sudden become
useless or irrelevant."