Skip to content

Elude control … let’s digitally sign malware code

by Pierluigi Paganini on November 20th, 2011

F-Secure Researchers have discovered a digitally signed malware that has code signed with a stolen government certificate belonging to the Malaysian Agricultural Research and Development Institute.

The issue has long been known and this attack methodic has triggered a widespread lack of confidence in the process of trusting based on the use of certificates. The impairment of some famous CA as Diginotar and dissemination of news related to the mode of spread of the dreaded Stuxnet and of its successors have allegedly cracked the mechanism underlying the trust model.

There is a very important consideration to be done by analyzing the case Stuxnet, the malware used valid stolen certificates. Consequense of that is that other malware acts in the same way, for example the Zeus bot looks for any certificates stored on an infected host for possible later usage.

The use of digitally signed code of an application has main purpose is to increase the trust in the development process, avoiding fraud and software alterations. Using digital signed code the malwares are able to elude all controls and related alert provided for the execution of software developed by non-accredited firms.

There are two main problems that are implied by the above examples. First related to the development process that must be improved to protect application certificate and private keys. Software certificates stored on a development box that has Internet access is not a good idea. Ideally, but also more expensive and cumbersome, hardware certificates should be used to sign code. Likewise, signing certificates should be kept on a separate host that does not touch the rest of the network or the Internet.

Second problem is the wide-scoping inherent trust given to any signed certificate from a valid Certificate Authority. Why would my system inherently trust software that says it was developed by a credit union? Right now, the answer is because the Certificate Authority told it toToo little, isn’t it?

The malware spreads through malicious PDF files that drop it after exploiting Adobe Reader 8 but according F-Secure blog

This particular malware does not gain much advantage of the signature any more, as the certificate expired in the end of September.

The malware is currently detected as Trojan-Downloader:W32/Agent.DTIW.


  1. I adore foregathering valuable details , this post has got me even a lot more information! .

    • paganinip permalink

      thak you. I hope you will follow me in the future. It’s just the beginning.
      Best regards

  2. You are a very clever individual!

  3. An stimulating word is couturier statement. I opine that you should pen author on this theme, it power not be a bias message but generally group are not enough to mouth on such topics. To the succeeding. Cheers like your Elude control … let’s digitally sign malware code | Security Affairs.

  4. invest liberty reserve permalink

    An fascinating word is designer scuttlebutt. I expect that you should correspond solon on this theme, it strength not be a sacred someone but mostly grouping are not enough to verbalise on much topics. To the succeeding. Cheers like your Elude control … let’s digitally sign malware code | Security Affairs.

Trackbacks & Pingbacks

  1. Elektrische Zahnbuerste
  2. 2011, CAs are under attack. Why steal a certificate? | Security Affairs
  3. Adobe Code Signing Certificate used to sign malware, who to blame? | Security Affairs

Leave a Reply

You must be logged in to post a comment.