Hackers Make Malware Download Appear Legitimate

The creators of a recently-discovered form of malware (malicious software) have reportedly used stolen government ID to make the bogus software appear legitimate when presented on Windows PCs. Once the malware is installed, it can steal personal information, such as passwords or banking information, or download other malware programs to the PC.

The malware is spread via infected PDF (portable document format) files that exploit a bug in the outdated Adobe Reader 8. (Source: computerworld.com)

The incident involves a code signing certificate, similar to the authentication systems for secure websites, and for software such as Microsoft drivers.

Bogus Certificate Means Malware Harder to Detect

It's rare for a malware program to contain a valid software certificate. That said, it's important to understand that a valid certificate only states that the program comes from a known (usually valid) source, but does not imply that the software is not harmful.

The validity of a software certificate is presented when a user downloads a file, then opens it for execution (for example). Click here for a sample image which shows "Mozilla Foundation" as a digitally signed and valid download via Internet Explorer.

In this case, it was the certificate which was stolen. Having a valid security certificate can make it less likely a user will notice an infected or malicious file is amiss (for example), and also less likely that the software will be flagged as suspicious by security software, such as web browsers, antivirus, or antimalware programs.

Certificate No Longer Valid

F-Secure, which discovered the malware, says that the certificate was signed on August 24, 2011.

Malaysian officials have confirmed only it was stolen from them "quite some time ago." The good news is that the certificate expired at the end of September, meaning that it no longer provides any added credibility to the malware, and may even act as a red flag. (Source: f-secure.com)

As noted, the malware attempts to download and install a specific item of additional software. This additional software also has a security certificate, issued in Taiwan. It's not yet clear if this additional certificate was also stolen or if it was counterfeited by the creators of the malware.

This isn't the first time an attack using digital certificates has been forged. This past September, a certificate company which produces SSL certificates for web browsers was breached by hackers. The hackers later created 500 bogus SSL certificates, which were then used to create fake (copycat) websites appear as real in order to dupe users and steal personal information.