funsec mailing list archives
OT: Front company used to sign malware
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 11 Feb 2013 04:54:05 -0500
Does anyone know anything about the Trojans? I'm specifically interested in what the CA knew (or should have known) before issuing a code signing certificate. http://www.h-online.com/security/news/item/Front-company-used-to-sign-malware-1799101.html Using a shell company, criminals in Brazil purchased valid certificates from a certificate authority in order to sign malware, according to a report from Malwarebytes. The new method of obtaining signatures was detected when the criminals signed a banking trojan and other malware and put them into circulation. The certificates were issues to a company called "Buster Paper Comercial Ltda" which apparently only existed on paper. The company was used to request a certificate from CA Digicert. Digicert told CIO Magazine that it did issue the certificate because at the time "Buster Paper Comercial Ltda was a legally registered business as confirmed through the Brazilian Ministerio da Fazenda: Cadastro Sincronizado Nacional." The certificate has since been revoked. The trojan that was signed with the fraudulently obtained certificate was sent by email as an attached executable file. The executable was disguised as a PDF file which, once opened, installed malicious code, deployed further payloads and tapped the system to obtain bank account details and passwords. Digitally signing malware has been used to give the user a false sense of security in the software and to get it past some defences in operating systems, but in the past, most of the certificates used have been stolen rather than applied for. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- OT: Front company used to sign malware Jeffrey Walton (Feb 11)
- <Possible follow-ups>
- Re: OT: Front company used to sign malware Juha-Matti Laurio (Feb 11)