November 14, 2011, 12:10PM
Stolen Government Certificate Used to Sign Malware
2 Comments
F-Secure researchers claim that malware spreading via malicious PDF files is signed with a valid certificate stolen from the Government of Malaysia, in just the latest evidence that scammers are using gaps in the security of digital certificates to help spread malicious code.
The malware,identified by F-Secure as a Trojan horse program dubbed Agent.DTIW, was detected in a signed Adobe PDF file by the company's virus researchers recently. The malicious PDF was signed using a valid digital certificate for mardi.gov.my, the Agricultural Research and Development Institute of the Government of Malaysia. According to F-Secure, the Government of Malaysia confirmed that the certificate was legitimate and had been stolen "quite some time ago."
Valid digital certificates can be used to authenticate malicious programs and bypass operating system warnings designed to appear when users attempt to run the application.
Editor's Pick
According to F-Secure, the Agent.DTIW malware exploits a known vulnerability in Adobe Reader 8 to gain a foothold on a vulnerable system, then downloads additional malicious modules from a server at the domain worldnewsmagazines.org. Some of those malicious objects were also found to be signed, though using a certificate from a commercial Web site.
Stolen digital certificates are a more and more common element of malicious software, security researchers say. The Stuxnet malware famously used stolen digital certificates to bypass security protections on systems it infected. (). Recent months have also seen attacks leveraged at certificate authorities and their affiliates, presumably by attackers who want the ability to generate valid certificates for high profile domains that might later be used in man-in-the-middle type attacks. Certificates like the Dutch firms Diginotar and KPN were compromised in such attacks, as was the CA Comodo. Certificate authorities and forged digital certificates have figured prominently in the news recently.
You can read more on F-Secure's blog here.
Commenting on this Article is closed.
Today's Most Popular
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Why Google Won't Protect You From Big Brother
- Dear Jailbreaker, Apple Wants to Have a Word with You
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 62
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
again we see ambigouity causing big trouble as a general ""fad"" all of a sudden just know scratch that
This was not a valid cert - it had already expired on Sept 29.
http://www.f-secure.com/weblog/archives/mardi-cert_malaysian.PNG