Early this month, Kaspersky Labs discovered a trojan known as Mediyes that had a valid digital signature issued by the Swiss company Conpavi, which works with the Swiss government.
Once installed, the trojan launches a dynamic link library (DLL), checks which browser is operating, intercepts requests sent to well-known search engines, and duplicates the requests on a server located in Germany. “The search queries are used by the criminals to earn money as part of the Search 123 partner program that works on a pay-per-click (PPC) basis. The server responds to the users’ requests with links from the Search123 system that are clicked without the user knowing about it. This results in the bad guys making money from fake clicks”, explained Kaspersky Labs.
The trojan has infected 5,000 computers so far. Kaspersky Labs said in an update that Symantec’s VeriSign has revoked the compromised certificate.
What makes Mediyes particularly troublesome is that the valid digital signature enabled it to trick anti-virus software and install itself on a compromised computer.
This aspect of the trojan highlights the need for better key management, noted John Grimm, product marketing manager at Thales e-Security.
“If somebody is able to steal a private key used to create a digital signature in the first place, they can replace or augment the legitimate software with a piece of malware, create a perfectly valid signature over it, and then distribute it. The operating system is none the wiser because it thinks it is getting a validly signed piece of code”, Grimm told Infosecurity.
Grimm stressed that the problem is that those responsible for the keys and the digital signature process are not following standards of due care. If the keys are not afforded proper protection, it is easy to find them, steal them, and create seemingly valid signatures over maliciously modified code.
“The attackers are getting smarter and smarter. They know where to look and often they know what keys look like in the memory” of the computer, Grimm said.
Grimm recommended that companies protect keys using hardware, not software. “If you protect keys in a hardware module – a certified, dedicated piece of crypto hardware that is designed to do security generation, storage, and protection – now you have a much high level of assurance around the protection of that private key. Somebody can’t scoop it up and create valid signatures over bad code.”