Home page logo

funsec logo funsec mailing list archives

OT: Front company used to sign malware
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 11 Feb 2013 04:54:05 -0500

Does anyone know anything about the Trojans? I'm specifically
interested in what the CA knew (or should have known) before issuing a
code signing certificate.


Using a shell company, criminals in Brazil purchased valid
certificates from a certificate authority in order to sign malware,
according to a report from Malwarebytes. The new method of obtaining
signatures was detected when the criminals signed a banking trojan and
other malware and put them into circulation.

The certificates were issues to a company called "Buster Paper
Comercial Ltda" which apparently only existed on paper. The company
was used to request a certificate from CA Digicert. Digicert told CIO
Magazine that it did issue the certificate because at the time "Buster
Paper Comercial Ltda was a legally registered business as confirmed
through the Brazilian Ministerio da Fazenda: Cadastro Sincronizado
Nacional." The certificate has since been revoked.

The trojan that was signed with the fraudulently obtained certificate
was sent by email as an attached executable file. The executable was
disguised as a PDF file which, once opened, installed malicious code,
deployed further payloads and tapped the system to obtain bank account
details and passwords.

Digitally signing malware has been used to give the user a false sense
of security in the software and to get it past some defences in
operating systems, but in the past, most of the certificates used have
been stolen rather than applied for.
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]