Banker Trojan Uses Valid Digital Certificate to Bypass Security Solutions

A new tactic that cybercrooks are exploiting is one that masks online attacks behind what is seen as legitimate digital certificates.

Just about every day we put our trust in the software developers and friendly website developers to keep our information secure and limit the spread of malware. It is almost inevitable that we will at some point run into malware, but the way in which some of encountered malware has been through trusted digital certificates discovered to hide malware.

A digital certificate is like an electric credit card that initially establishes your credentials when doing transactions on the Internet. They are issued by a certification authority, and they usually contain your name, expiration dates, a serial number and the certificate holder's public key. Basically, a digital certificate more or less a digital signature used for encrypting messages when accessing certain sites.

With trusting a digital certificate, a site then trusts information being negotiated to and from the accessed system. Recently, a security firm discovered variations of a new Trojan linked to a fake company in Brazil that had been legally registered. Therefore, their digital certificates were trusted and provided a means for malware to be masked. The fake Brazilian company was created for the main purpose of obtaining a verifiable digital certificate. Within the certificates, there were as many as five variations of the same malware discovered. Now, as many as 19 variations were discovered, which is proof of the digital certificate being used to exploit and pass-off malware in abundance.

The validation of files is done through digital certificates. With malware hidden in a validated file due to a trusted certificate, it will never be flagged or blocked by something like a spam filter. This means attackers would be able to send contaminated files through email without any foreseen roadblocks on the receiving end. This case is somewhat like a recent rash of attacks using the vulnerable Java platform.

In the recent case of the banking Trojan called Spyware.Banker.FakeSig, the malicious file sent through email is a PDF, which connects to a server that downloads the Trojan to the desktop. This type of attack is commonly used in spear-phishing campaigns. With security researchers delving deeper into this malware touting digital certificate, they found that they were issues to a fake company called "Buster Paper Comercial Ltda" out of Brazil. As it turns out, if businesses look legitimate to certificate authorities, those who issue approval for certificates, then they grant the certificate and no one is the wiser.

Until the practices of certificate authorities is cleaned up, we may continue to see the exploitation of malware-laced digital certificates latterly grant cybercrooks free unadulterated access to spread malware through many different methods.