- Jan 24, 2011
- 9,378
Security researchers warn that a newly identified ZeuS sample is signed with a fake digital certificate allegedly issued to German antivirus vendor Avira.
Code signing has been possible since the days of Windows NT, however, adoption of the technology was slow until Windows Vista and Windows 7, where UAC (User Access Control) alerts look significantly different for signed and unsigned executables.
Today it is common practice to sign installers as a method to verify they haven't been tampered with, as any modification made to the code would break the original signature.
Digitally signed malware is a relatively rare occurrence because there are few options for malware authors to do it properly and it generally doesn't worth the trouble.
One way is to steal a private digital key from a company and use it to sign the malicious code. This technique was used by the Stuxnet industrial sabotage worm to install a rootkit component on 64-bit versions of Windows.
Since rootkits function as drivers and 64-bit versions of Windows don't load unsigned drivers, signing the rootkit with a valid certificate was necessary.
However, the new ZeuS sample does not have a valid signature. "Viewing the properties of the digital signature, Microsoft Windows shows a note 'A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.'
"Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate," Avira researchers note.
More details - link
Code signing has been possible since the days of Windows NT, however, adoption of the technology was slow until Windows Vista and Windows 7, where UAC (User Access Control) alerts look significantly different for signed and unsigned executables.
Today it is common practice to sign installers as a method to verify they haven't been tampered with, as any modification made to the code would break the original signature.
Digitally signed malware is a relatively rare occurrence because there are few options for malware authors to do it properly and it generally doesn't worth the trouble.
One way is to steal a private digital key from a company and use it to sign the malicious code. This technique was used by the Stuxnet industrial sabotage worm to install a rootkit component on 64-bit versions of Windows.
Since rootkits function as drivers and 64-bit versions of Windows don't load unsigned drivers, signing the rootkit with a valid certificate was necessary.
However, the new ZeuS sample does not have a valid signature. "Viewing the properties of the digital signature, Microsoft Windows shows a note 'A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.'
"Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate," Avira researchers note.
More details - link
