When Kaspersky Lab last week spotted code-signed Trojan malware dubbed Mediyes that had been signed with a digital certificate owned by Swiss firm Conpavi AG and issued by Symantec, it touched off a hunt to determine the source of the problem.
The answer, says Symantec's website security services unit, is that somehow the private encryption key associated with Conpavi AG certificate had been stolen.
"The private key for Conpavi was exposed," says Quentin Liu, senior director of engineering at the Symantec division. "Someone got hold of the private key." For this type of digital certificate, the private key is held by the certificate owner, in this case, Conpavi. Whether the private encryption key was stolen by an insider at Conpavi or outside attacker isn't known. But the incident points out the risks associated with private encryption keys for this type of digital certificate and the need to safeguard them.
Symantec has revoked the Conpavi certificate that was used to digitally sign the Mediyes malware and is assisting the Swiss firm in analysing what occurred and helping them prevent this from happening again.
The incident also highlights why malware authors want to sign the code they write, which in the case of Mediyes, is a so-called dropper file used to seed computers so they can be easily manipulated for other purposes. In the case of the Mediyes Trojan, the purpose was to intercept browser requests sent to search engines so the attackers could earn money in a fraudulent pay-per-click scheme.
Kaspersky last week estimated 5,000 users, mainly in Western Europe, including Germany, Switzerland, Sweden, France and Italy, had been exploited with the Mediyes Trojan for this purpose.
Criminals are increasingly using stolen digital certificates to sign their malicious code, Symantec acknowledges. The advantage in code-signing for them is it gives these attackers a boost up in having the malicious code evade detection by antivirus and other types of anti-malware software.
"We have seen more being signed, sometimes with stolen certificates," says Liam O'Murchu, manager of Symantec security response. "It lends an air of legitimacy to the file."
Compromised digital certificates with stolen keys are available in criminal black markets online in places where you might find other stolen items, like credit card numbers and the like, he points out.
As Symantec has evolved its malware protection method, a risk-based score based on several factors will be used to quickly determine if code is benign or malevolent. Digitally signed code gets an advantage in this scoring system, says O'Murchu. If attackers are effectively figuring out how to get around detection this way, this scoring system will need to be recalibrated, O'Murchu acknowledges.