Webroot reports zero-day malware generating forged Microsoft security certificates

According to Andrew Brandt, a security researcher with the IT security vendor, the fake Microsoft security certificates appear in the properties sheets of both the installer and two of the three executable payloads dropped by the installer.

"One giveaway is that the sheet identifies the signer as Microsoft but lacks both an email address and a time stamp. Legitimate system files digitally signed by Microsoft identify the signer as Microsoft Corporation and always have a time stamp", he said in a security blog posting.

"The bogus signatures are identified as invalid, but only when you click the Details button on the properties sheet's digital signatures tab", he added.

Brandt said that a legitimate Microsoft-signed file is normally issued by the Microsoft Code Signing PCA certificate authority, and will also display a countersignature from Verisign.

The fake Microsoft security certificates, however, have no countersignature, and appear to have been issued by `Root Agency' - a made up name for a non-existent certificate authority the malware creators are using to generate these files.

In fact, Brandt said, the malware creators may actually be using Microsoft's own security certificates creation tool - which is supposed to be used for testing - to facilitate the generation of the signed files.

"While we've seen a number of digitally signed files come through our research queue over the years, authors of trojan horse apps rarely go to the trouble of digitally signing files in this way", he said.

"It's not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good. We've published a new definition to remove both the installer and these payload files; Trojan-Certispaz will be available to help our customers clean up infections in our next definitions update", he added.

"In the meantime, until Adobe issues updates for Acrobat and/or Reader, you may wish to follow these instructions to disable Javascript within those applications."

What’s hot on Infosecurity Magazine?