Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Networking

    Malware Stealing Digital Certificates Raises Security Concerns

    By
    Brian Prince
    -
    August 6, 2010
    Share
    Facebook
    Twitter
    Linkedin

      Two recent examples of malware utilizing digital signatures belonging to legitimate companies have put a spotlight on the question of what to do about it.

      Researchers at Trend Micro recently found a variant of the Zeus Trojan that used a certificate belonging to Kaspersky Lab’s ZbotKiller product, which ironically is designed to destroy Zeus. Though the certificate was expired, the idea was for the malware to use it to look legitimate.

      Unlike in the case of the Stuxnet malware, which installs drivers digitally signed by RealTek Semiconductor and JMicron Technology, the authors of the Zeus variant did not actually steal the certificate and sign files with it. Instead, they simply cut and pasted the signature from another file, explained Roel Schouwenberg, senior antivirus researcher with Kaspersky.

      “The new variant of Zeus simply contains a signature which was copy-pasted from another file,” Schouwenberg said. “This doesn’t produce a valid signature nor does it involve a breach of our certificate integrity, unlike the case with Stuxnet versus RealTek and JMicron.”

      According to Schouwenberg, the problem can partly be addressed by Microsoft.

      “Whenever you’re trying to install new software which is signed, Windows asks you, Do you trust Publisher X? That gives the user a clear indication where the software is coming from,” he explained. “So that happens when the signature is valid. However, when the digital signature isn’t valid Windows simply treats the file as an unsigned file … If Windows would simply alert the user that the certificate was invalid and the file should not be run we would be a lot better off.”

      The RealTek certificate used to sign the Stuxnet drivers expired in June; the JMicron certificate expires in July of 2012. Since Stuxnet is now believed to have been out for more than a year, it’s possible such a warning wouldn’t have helped many users infected by the worm. However, it could help address the problem of malware writers copying certificates-something that has been done for years now, Schouwenberg said.

      Microsoft said it has been in contact with Kaspersky and is evaluating the incident. However, Gartner analyst John Pescatore noted the problem is bigger than the operating system.

      “It isn’t just Windows, it is pretty much every browser, every OS,” Pescatore said. “If a certificate is expired or invalid, some popup is shown to the user. But since legitimate software vendors often fail to renew certificates on time, users get trained to just click thru the popups, and the use of the certificate becomes meaningless-it is like the FBI warning at the start of every DVD movie.

      “Now, it would be a good thing for the [Certificate Authority/Browser Forum] to come up with some agreed upon standards for how to handle different issues-an expired cert warning should be very different than a warning for a cert where the signature is invalid, etc,” he continued. “And they need to do a lot of education [of] users to make the difference clear.”

      While Stuxnet provides a high-profile example, an attack where digital certificates are actually stolen is quite rare, said Ben Greenbaum, senior research manager for Symantec Security Response.

      “It involves getting inside an organization and stealing their private PGP key that is used for actually signing files,” Greenbaum said.

      Stuxnet’s success in utilizing a stolen certificate does not make the certificates themselves irrelevant, he added.

      “Maintaining secure control over private signing certificates has always been the key to the proper operation of application signing, and given the rarity of threats that utilize stolen certificates, I think that in general organizations do a pretty good job of this,” he said. “It might be easier to think of it in this way: If one person loses a key to their house or has it stolen, that doesn’t mean all door locks have all of a sudden become useless or irrelevant.”

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×